1 /*
2 * mod_authn_ldap - HTTP Auth LDAP backend
3 *
4 * Fully-rewritten from original
5 * Copyright(c) 2016 Glenn Strauss gstrauss()gluelogic.com All rights reserved
6 * License: BSD 3-clause (same as lighttpd)
7 */
8 #include "first.h"
9
10 #include <stdlib.h>
11 #include <string.h>
12
13 #include <ldap.h>
14
15 #include "mod_auth_api.h"
16 #include "base.h"
17 #include "log.h"
18 #include "plugin.h"
19
20 typedef struct {
21 LDAP *ldap;
22 log_error_st *errh;
23 const char *auth_ldap_hostname;
24 const char *auth_ldap_binddn;
25 const char *auth_ldap_bindpw;
26 const char *auth_ldap_cafile;
27 int auth_ldap_starttls;
28 struct timeval auth_ldap_timeout;
29 } plugin_config_ldap;
30
31 typedef struct {
32 plugin_config_ldap *ldc;
33 const char *auth_ldap_basedn;
34 const buffer *auth_ldap_filter;
35 const buffer *auth_ldap_groupmember;
36 int auth_ldap_allow_empty_pw;
37
38 int auth_ldap_starttls;
39 const char *auth_ldap_binddn;
40 const char *auth_ldap_bindpw;
41 const char *auth_ldap_cafile;
42 } plugin_config;
43
44 typedef struct {
45 PLUGIN_DATA;
46 plugin_config defaults;
47 plugin_config conf;
48
49 buffer ldap_filter;
50 } plugin_data;
51
52 static const char *default_cafile;
53
54 static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
55
INIT_FUNC(mod_authn_ldap_init)56 INIT_FUNC(mod_authn_ldap_init) {
57 static http_auth_backend_t http_auth_backend_ldap =
58 { "ldap", mod_authn_ldap_basic, NULL, NULL };
59 plugin_data *p = ck_calloc(1, sizeof(*p));
60
61 /* register http_auth_backend_ldap */
62 http_auth_backend_ldap.p_d = p;
63 http_auth_backend_set(&http_auth_backend_ldap);
64
65 return p;
66 }
67
FREE_FUNC(mod_authn_ldap_free)68 FREE_FUNC(mod_authn_ldap_free) {
69 plugin_data * const p = p_d;
70 if (NULL == p->cvlist) return;
71 /* (init i to 0 if global context; to 1 to skip empty global context) */
72 for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
73 config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
74 for (; -1 != cpv->k_id; ++cpv) {
75 switch (cpv->k_id) {
76 case 0: /* auth.backend.ldap.hostname */
77 if (cpv->vtype == T_CONFIG_LOCAL) {
78 plugin_config_ldap *s = cpv->v.v;
79 if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
80 free(s);
81 }
82 break;
83 default:
84 break;
85 }
86 }
87 }
88
89 free(p->ldap_filter.ptr);
90 default_cafile = NULL;
91 }
92
mod_authn_ldap_merge_config_cpv(plugin_config * const pconf,const config_plugin_value_t * const cpv)93 static void mod_authn_ldap_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
94 switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
95 case 0: /* auth.backend.ldap.hostname */
96 if (cpv->vtype == T_CONFIG_LOCAL)
97 pconf->ldc = cpv->v.v;
98 break;
99 case 1: /* auth.backend.ldap.base-dn */
100 if (cpv->vtype == T_CONFIG_LOCAL)
101 pconf->auth_ldap_basedn = cpv->v.v;
102 break;
103 case 2: /* auth.backend.ldap.filter */
104 pconf->auth_ldap_filter = cpv->v.v;
105 break;
106 case 3: /* auth.backend.ldap.ca-file */
107 pconf->auth_ldap_cafile = cpv->v.v;
108 break;
109 case 4: /* auth.backend.ldap.starttls */
110 pconf->auth_ldap_starttls = (int)cpv->v.u;
111 break;
112 case 5: /* auth.backend.ldap.bind-dn */
113 pconf->auth_ldap_binddn = cpv->v.v;
114 break;
115 case 6: /* auth.backend.ldap.bind-pw */
116 pconf->auth_ldap_bindpw = cpv->v.v;
117 break;
118 case 7: /* auth.backend.ldap.allow-empty-pw */
119 pconf->auth_ldap_allow_empty_pw = (int)cpv->v.u;
120 break;
121 case 8: /* auth.backend.ldap.groupmember */
122 pconf->auth_ldap_groupmember = cpv->v.b;
123 break;
124 case 9: /* auth.backend.ldap.timeout */
125 /*(not implemented as any-scope override;
126 * supported in same scope as auth.backend.ldap.hostname)*/
127 /*pconf->auth_ldap_timeout = cpv->v.b;*/
128 break;
129 default:/* should not happen */
130 return;
131 }
132 }
133
mod_authn_ldap_merge_config(plugin_config * const pconf,const config_plugin_value_t * cpv)134 static void mod_authn_ldap_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv) {
135 do {
136 mod_authn_ldap_merge_config_cpv(pconf, cpv);
137 } while ((++cpv)->k_id != -1);
138 }
139
mod_authn_ldap_patch_config(request_st * const r,plugin_data * const p)140 static void mod_authn_ldap_patch_config(request_st * const r, plugin_data * const p) {
141 memcpy(&p->conf, &p->defaults, sizeof(plugin_config));
142 for (int i = 1, used = p->nconfig; i < used; ++i) {
143 if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
144 mod_authn_ldap_merge_config(&p->conf,
145 p->cvlist + p->cvlist[i].v.u2[0]);
146 }
147 }
148
149 /*(copied from mod_vhostdb_ldap.c)*/
mod_authn_add_scheme(server * srv,buffer * host)150 static void mod_authn_add_scheme (server *srv, buffer *host)
151 {
152 if (!buffer_is_blank(host)) {
153 /* reformat hostname(s) as LDAP URIs (scheme://host:port) */
154 static const char *schemes[] = {
155 "ldap://", "ldaps://", "ldapi://", "cldap://"
156 };
157 char *b, *e = host->ptr;
158 buffer * const tb = srv->tmp_buf;
159 buffer_clear(tb);
160 while (*(b = e)) {
161 unsigned int j;
162 while (*b==' '||*b=='\t'||*b=='\r'||*b=='\n'||*b==',') ++b;
163 if (*b == '\0') break;
164 e = b;
165 while (*e!=' '&&*e!='\t'&&*e!='\r'&&*e!='\n'&&*e!=','&&*e!='\0')
166 ++e;
167 if (!buffer_is_blank(tb))
168 buffer_append_char(tb, ',');
169 for (j = 0; j < sizeof(schemes)/sizeof(char *); ++j) {
170 if (buffer_eq_icase_ssn(b, schemes[j], strlen(schemes[j]))) {
171 break;
172 }
173 }
174 if (j == sizeof(schemes)/sizeof(char *))
175 buffer_append_string_len(tb, CONST_STR_LEN("ldap://"));
176 buffer_append_string_len(tb, b, (size_t)(e - b));
177 }
178 buffer_copy_buffer(host, tb);
179 }
180 }
181
182 __attribute_cold__
183 static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err);
184
SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults)185 SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
186 static const config_plugin_keys_t cpk[] = {
187 { CONST_STR_LEN("auth.backend.ldap.hostname"),
188 T_CONFIG_STRING,
189 T_CONFIG_SCOPE_CONNECTION }
190 ,{ CONST_STR_LEN("auth.backend.ldap.base-dn"),
191 T_CONFIG_STRING,
192 T_CONFIG_SCOPE_CONNECTION }
193 ,{ CONST_STR_LEN("auth.backend.ldap.filter"),
194 T_CONFIG_STRING,
195 T_CONFIG_SCOPE_CONNECTION }
196 ,{ CONST_STR_LEN("auth.backend.ldap.ca-file"),
197 T_CONFIG_STRING,
198 T_CONFIG_SCOPE_CONNECTION }
199 ,{ CONST_STR_LEN("auth.backend.ldap.starttls"),
200 T_CONFIG_BOOL,
201 T_CONFIG_SCOPE_CONNECTION }
202 ,{ CONST_STR_LEN("auth.backend.ldap.bind-dn"),
203 T_CONFIG_STRING,
204 T_CONFIG_SCOPE_CONNECTION }
205 ,{ CONST_STR_LEN("auth.backend.ldap.bind-pw"),
206 T_CONFIG_STRING,
207 T_CONFIG_SCOPE_CONNECTION }
208 ,{ CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"),
209 T_CONFIG_BOOL,
210 T_CONFIG_SCOPE_CONNECTION }
211 ,{ CONST_STR_LEN("auth.backend.ldap.groupmember"),
212 T_CONFIG_STRING,
213 T_CONFIG_SCOPE_CONNECTION }
214 ,{ CONST_STR_LEN("auth.backend.ldap.timeout"),
215 T_CONFIG_STRING,
216 T_CONFIG_SCOPE_CONNECTION }
217 ,{ NULL, 0,
218 T_CONFIG_UNSET,
219 T_CONFIG_SCOPE_UNSET }
220 };
221
222 plugin_data * const p = p_d;
223 if (!config_plugin_values_init(srv, p, cpk, "mod_authn_ldap"))
224 return HANDLER_ERROR;
225
226 /* process and validate config directives
227 * (init i to 0 if global context; to 1 to skip empty global context) */
228 for (int i = !p->cvlist[0].v.u2[1]; i < p->nconfig; ++i) {
229 config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
230 plugin_config_ldap *ldc = NULL;
231 char *binddn = NULL, *bindpw = NULL, *cafile = NULL;
232 int starttls = 0;
233 long timeout = 2000000; /* set 2 sec default timeout (not infinite) */
234 for (; -1 != cpv->k_id; ++cpv) {
235 switch (cpv->k_id) {
236 case 0: /* auth.backend.ldap.hostname */
237 if (!buffer_is_blank(cpv->v.b)) {
238 buffer *b;
239 *(const buffer **)&b = cpv->v.b;
240 mod_authn_add_scheme(srv, b);
241 ldc = ck_calloc(1, sizeof(plugin_config_ldap));
242 ldc->errh = srv->errh;
243 ldc->auth_ldap_hostname = b->ptr;
244 cpv->v.v = ldc;
245 }
246 else {
247 cpv->v.v = NULL;
248 }
249 cpv->vtype = T_CONFIG_LOCAL;
250 break;
251 case 1: /* auth.backend.ldap.base-dn */
252 cpv->vtype = T_CONFIG_LOCAL;
253 cpv->v.v = !buffer_is_blank(cpv->v.b)
254 ? cpv->v.b->ptr
255 : NULL;
256 break;
257 case 2: /* auth.backend.ldap.filter */
258 if (!buffer_is_blank(cpv->v.b)) {
259 buffer *b;
260 *(const buffer **)&b = cpv->v.b;
261 if (*b->ptr != ',') {
262 /*(translate $ to ? for consistency w/ other modules)*/
263 char *d = b->ptr;
264 for (; NULL != (d = strchr(d, '$')); ++d) *d = '?';
265 if (NULL == strchr(b->ptr, '?')) {
266 log_error(srv->errh, __FILE__, __LINE__,
267 "ldap: %s is missing a replace-operator '?'",
268 cpk[cpv->k_id].k);
269 return HANDLER_ERROR;
270 }
271 }
272 cpv->v.v = b;
273 }
274 else {
275 cpv->v.v = NULL;
276 }
277 cpv->vtype = T_CONFIG_LOCAL;
278 break;
279 case 3: /* auth.backend.ldap.ca-file */
280 cafile = !buffer_is_blank(cpv->v.b)
281 ? cpv->v.b->ptr
282 : NULL;
283 cpv->vtype = T_CONFIG_LOCAL;
284 cpv->v.v = cafile;
285 break;
286 case 4: /* auth.backend.ldap.starttls */
287 starttls = (int)cpv->v.u;
288 break;
289 case 5: /* auth.backend.ldap.bind-dn */
290 binddn = !buffer_is_blank(cpv->v.b)
291 ? cpv->v.b->ptr
292 : NULL;
293 cpv->vtype = T_CONFIG_LOCAL;
294 cpv->v.v = binddn;
295 break;
296 case 6: /* auth.backend.ldap.bind-pw */
297 cpv->vtype = T_CONFIG_LOCAL;
298 cpv->v.v = bindpw = cpv->v.b->ptr;
299 break;
300 case 7: /* auth.backend.ldap.allow-empty-pw */
301 break;
302 case 8: /* auth.backend.ldap.groupmember */
303 if (buffer_is_blank(cpv->v.b))
304 cpv->v.b = NULL;
305 break;
306 case 9: /* auth.backend.ldap.timeout */
307 timeout = strtol(cpv->v.b->ptr, NULL, 10);
308 break;
309 default:/* should not happen */
310 break;
311 }
312 }
313
314 if (ldc) {
315 ldc->auth_ldap_binddn = binddn;
316 ldc->auth_ldap_bindpw = bindpw;
317 ldc->auth_ldap_cafile = cafile;
318 ldc->auth_ldap_starttls = starttls;
319 ldc->auth_ldap_timeout.tv_sec = timeout / 1000000;
320 ldc->auth_ldap_timeout.tv_usec = timeout % 1000000;
321 }
322 }
323
324 static const struct { const char *ptr; uint32_t used; uint32_t size; }
325 memberUid = { "memberUid", sizeof("memberUid"), 0 };
326 *(const buffer **)&p->defaults.auth_ldap_groupmember =
327 (const buffer *)&memberUid;
328
329 /* initialize p->defaults from global config context */
330 if (p->nconfig > 0 && p->cvlist->v.u2[1]) {
331 const config_plugin_value_t *cpv = p->cvlist + p->cvlist->v.u2[0];
332 if (-1 != cpv->k_id)
333 mod_authn_ldap_merge_config(&p->defaults, cpv);
334 }
335
336 if (p->defaults.auth_ldap_starttls && p->defaults.auth_ldap_cafile) {
337 const int ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
338 p->defaults.auth_ldap_cafile);
339 if (LDAP_OPT_SUCCESS != ret) {
340 mod_authn_ldap_err(srv->errh, __FILE__, __LINE__,
341 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
342 return HANDLER_ERROR;
343 }
344 default_cafile = p->defaults.auth_ldap_cafile;
345 }
346
347 return HANDLER_GO_ON;
348 }
349
350 __attribute_cold__
mod_authn_ldap_err(log_error_st * errh,const char * file,unsigned long line,const char * fn,int err)351 static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err)
352 {
353 log_error(errh, file, line, "ldap: %s: %s", fn, ldap_err2string(err));
354 }
355
356 __attribute_cold__
mod_authn_ldap_opt_err(log_error_st * errh,const char * file,unsigned long line,const char * fn,LDAP * ld)357 static void mod_authn_ldap_opt_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, LDAP *ld)
358 {
359 int err;
360 ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
361 mod_authn_ldap_err(errh, file, line, fn, err);
362 }
363
mod_authn_append_ldap_dn_escape(buffer * const filter,const buffer * const raw)364 static void mod_authn_append_ldap_dn_escape(buffer * const filter, const buffer * const raw) {
365 /* [RFC4514] 2.4 Converting an AttributeValue from ASN.1 to a String
366 *
367 * https://www.ldap.com/ldap-dns-and-rdns
368 * http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
369 */
370 const char * const b = raw->ptr;
371 const size_t rlen = buffer_clen(raw);
372 if (0 == rlen) return;
373
374 if (b[0] == ' ') { /* || b[0] == '#' handled below for MS Active Directory*/
375 /* escape leading ' ' */
376 buffer_append_char(filter, '\\');
377 }
378
379 for (size_t i = 0; i < rlen; ++i) {
380 size_t len = i;
381 int bs = 0;
382 do {
383 /* encode all UTF-8 chars with high bit set
384 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
385 if (((unsigned char *)b)[len] > 0x7f)
386 break;
387 switch (b[len]) {
388 default:
389 continue;
390 case '"': case '+': case ',': case ';': case '\\':
391 case '<': case '>':
392 case '=': case '#': /* (for MS Active Directory) */
393 bs = 1;
394 break;
395 case '\0':
396 break;
397 }
398 break;
399 } while (++len < rlen);
400 len -= i;
401
402 if (len) {
403 buffer_append_string_len(filter, b+i, len);
404 if ((i += len) == rlen) break;
405 }
406
407 if (bs) {
408 buffer_append_char(filter, '\\');
409 buffer_append_char(filter, b[i]);
410 }
411 else {
412 /* escape NUL ('\0') (and all UTF-8 chars with high bit set) */
413 char *f;
414 f = buffer_extend(filter, 3);
415 f[0] = '\\';
416 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
417 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
418 }
419 }
420
421 if (rlen > 1 && b[rlen-1] == ' ') {
422 /* escape trailing ' ' */
423 filter->ptr[buffer_clen(filter)-1] = '\\';
424 buffer_append_char(filter, ' ');
425 }
426 }
427
mod_authn_append_ldap_filter_escape(buffer * const filter,const buffer * const raw)428 static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) {
429 /* [RFC4515] 3. String Search Filter Definition
430 *
431 * [...]
432 *
433 * The <valueencoding> rule ensures that the entire filter string is a
434 * valid UTF-8 string and provides that the octets that represent the
435 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
436 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
437 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
438 * representing the value of the encoded octet.
439 *
440 * [...]
441 *
442 * As indicated by the <valueencoding> rule, implementations MUST escape
443 * all octets greater than 0x7F that are not part of a valid UTF-8
444 * encoding sequence when they generate a string representation of a
445 * search filter. Implementations SHOULD accept as input strings that
446 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
447 * not clearly define the term "string representation" (and in
448 * particular did not mention that the string representation of an LDAP
449 * search filter is a string of UTF-8-encoded Unicode characters).
450 *
451 *
452 * https://www.ldap.com/ldap-filters
453 * Although not required, you may escape any other characters that you want
454 * in the assertion value (or substring component) of a filter. This may be
455 * accomplished by prefixing the hexadecimal representation of each byte of
456 * the UTF-8 encoding of the character to escape with a backslash character.
457 */
458 const char * const b = raw->ptr;
459 const size_t rlen = buffer_clen(raw);
460 for (size_t i = 0; i < rlen; ++i) {
461 size_t len = i;
462 char *f;
463 do {
464 /* encode all UTF-8 chars with high bit set
465 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
466 if (((unsigned char *)b)[len] > 0x7f)
467 break;
468 switch (b[len]) {
469 default:
470 continue;
471 case '\0': case '(': case ')': case '*': case '\\':
472 break;
473 }
474 break;
475 } while (++len < rlen);
476 len -= i;
477
478 if (len) {
479 buffer_append_string_len(filter, b+i, len);
480 if ((i += len) == rlen) break;
481 }
482
483 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
484 f = buffer_extend(filter, 3);
485 f[0] = '\\';
486 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
487 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
488 }
489 }
490
mod_authn_ldap_host_init(log_error_st * errh,plugin_config_ldap * s)491 static LDAP * mod_authn_ldap_host_init(log_error_st *errh, plugin_config_ldap *s) {
492 LDAP *ld;
493 int ret;
494
495 if (NULL == s->auth_ldap_hostname) return NULL;
496
497 if (LDAP_SUCCESS != ldap_initialize(&ld, s->auth_ldap_hostname)) {
498 log_perror(errh, __FILE__, __LINE__, "ldap: ldap_initialize()");
499 return NULL;
500 }
501
502 ret = LDAP_VERSION3;
503 ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
504 if (LDAP_OPT_SUCCESS != ret) {
505 mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_set_option()", ret);
506 ldap_destroy(ld);
507 return NULL;
508 }
509
510 /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */
511 ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
512
513 #ifdef LDAP_OPT_NETWORK_TIMEOUT /* OpenLDAP-specific */
514 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &s->auth_ldap_timeout);
515 #endif
516
517 #ifdef LDAP_OPT_TIMEOUT /* OpenLDAP-specific; OpenLDAP 2.4+ */
518 ldap_set_option(ld, LDAP_OPT_TIMEOUT, &s->auth_ldap_timeout);
519 #endif
520
521 if (s->auth_ldap_starttls) {
522 /* if no CA file is given, it is ok, as we will use encryption
523 * if the server requires a CAfile it will tell us */
524 if (s->auth_ldap_cafile
525 && (!default_cafile
526 || 0 != strcmp(s->auth_ldap_cafile, default_cafile))) {
527 ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
528 s->auth_ldap_cafile);
529 if (LDAP_OPT_SUCCESS != ret) {
530 mod_authn_ldap_err(errh, __FILE__, __LINE__,
531 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
532 ret);
533 ldap_destroy(ld);
534 return NULL;
535 }
536 }
537
538 ret = ldap_start_tls_s(ld, NULL, NULL);
539 if (LDAP_OPT_SUCCESS != ret) {
540 mod_authn_ldap_err(errh,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
541 ldap_destroy(ld);
542 return NULL;
543 }
544 }
545
546 return ld;
547 }
548
mod_authn_ldap_bind(log_error_st * errh,LDAP * ld,const char * dn,const char * pw)549 static int mod_authn_ldap_bind(log_error_st *errh, LDAP *ld, const char *dn, const char *pw) {
550 struct berval creds;
551 int ret;
552
553 if (NULL != pw) {
554 *((const char **)&creds.bv_val) = pw; /*(cast away const)*/
555 creds.bv_len = strlen(pw);
556 } else {
557 creds.bv_val = NULL;
558 creds.bv_len = 0;
559 }
560
561 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
562
563 ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
564 if (ret != LDAP_SUCCESS) {
565 mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
566 }
567
568 return ret;
569 }
570
mod_authn_ldap_rebind_proc(LDAP * ld,LDAP_CONST char * url,ber_tag_t ldap_request,ber_int_t msgid,void * params)571 static int mod_authn_ldap_rebind_proc (LDAP *ld, LDAP_CONST char *url, ber_tag_t ldap_request, ber_int_t msgid, void *params) {
572 const plugin_config_ldap *s = (const plugin_config_ldap *)params;
573 UNUSED(url);
574 UNUSED(ldap_request);
575 UNUSED(msgid);
576 return s->auth_ldap_binddn
577 ? mod_authn_ldap_bind(s->errh, ld,
578 s->auth_ldap_binddn,
579 s->auth_ldap_bindpw)
580 : mod_authn_ldap_bind(s->errh, ld, NULL, NULL);
581 }
582
mod_authn_ldap_search(log_error_st * errh,plugin_config_ldap * s,const char * base,const char * filter)583 static LDAPMessage * mod_authn_ldap_search(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
584 LDAPMessage *lm = NULL;
585 char *attrs[] = { LDAP_NO_ATTRS, NULL };
586 int ret;
587
588 /*
589 * 1. connect anonymously (if not already connected)
590 * (ldap connection is kept open unless connection-level error occurs)
591 * 2. issue search using filter
592 */
593
594 if (s->ldap != NULL) {
595 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
596 attrs, 0, NULL, NULL, NULL, 0, &lm);
597 if (LDAP_SUCCESS == ret) {
598 return lm;
599 } else if (LDAP_SERVER_DOWN != ret) {
600 /* try again (or initial request);
601 * ldap lib sometimes fails for the first call but reconnects */
602 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
603 attrs, 0, NULL, NULL, NULL, 0, &lm);
604 if (LDAP_SUCCESS == ret) {
605 return lm;
606 }
607 }
608
609 ldap_unbind_ext_s(s->ldap, NULL, NULL);
610 }
611
612 s->ldap = mod_authn_ldap_host_init(errh, s);
613 if (NULL == s->ldap) {
614 return NULL;
615 }
616
617 ldap_set_rebind_proc(s->ldap, mod_authn_ldap_rebind_proc, s);
618 ret = mod_authn_ldap_rebind_proc(s->ldap, NULL, 0, 0, s);
619 if (LDAP_SUCCESS != ret) {
620 ldap_destroy(s->ldap);
621 s->ldap = NULL;
622 return NULL;
623 }
624
625 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
626 attrs, 0, NULL, NULL, NULL, 0, &lm);
627 if (LDAP_SUCCESS != ret) {
628 log_error(errh, __FILE__, __LINE__,
629 "ldap: %s; filter: %s", ldap_err2string(ret), filter);
630 ldap_unbind_ext_s(s->ldap, NULL, NULL);
631 s->ldap = NULL;
632 return NULL;
633 }
634
635 return lm;
636 }
637
mod_authn_ldap_get_dn(log_error_st * errh,plugin_config_ldap * s,const char * base,const char * filter)638 static char * mod_authn_ldap_get_dn(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
639 LDAP *ld;
640 LDAPMessage *lm, *first;
641 char *dn;
642 int count;
643
644 lm = mod_authn_ldap_search(errh, s, base, filter);
645 if (NULL == lm) {
646 return NULL;
647 }
648
649 ld = s->ldap; /*(must be after mod_authn_ldap_search(); might reconnect)*/
650
651 count = ldap_count_entries(ld, lm);
652 if (0 == count) { /*(no entries found)*/
653 ldap_msgfree(lm);
654 return NULL;
655 } else if (count > 1) {
656 log_error(errh, __FILE__, __LINE__,
657 "ldap: more than one record returned. "
658 "you might have to refine the filter: %s", filter);
659 }
660
661 if (NULL == (first = ldap_first_entry(ld, lm))) {
662 mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_first_entry()",ld);
663 ldap_msgfree(lm);
664 return NULL;
665 }
666
667 if (NULL == (dn = ldap_get_dn(ld, first))) {
668 mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_get_dn()",ld);
669 ldap_msgfree(lm);
670 return NULL;
671 }
672
673 ldap_msgfree(lm);
674 return dn;
675 }
676
mod_authn_ldap_memberOf(log_error_st * errh,plugin_config * s,const http_auth_require_t * require,const buffer * username,const char * userdn)677 static handler_t mod_authn_ldap_memberOf(log_error_st *errh, plugin_config *s, const http_auth_require_t *require, const buffer *username, const char *userdn) {
678 if (!s->auth_ldap_groupmember) return HANDLER_ERROR;
679 const array *groups = &require->group;
680 buffer *filter = buffer_init();
681 handler_t rc = HANDLER_ERROR;
682
683 buffer_append_char(filter, '(');
684 buffer_append_string_buffer(filter, s->auth_ldap_groupmember);
685 buffer_append_char(filter, '=');
686 if (buffer_is_equal_string(s->auth_ldap_groupmember,
687 CONST_STR_LEN("member"))) {
688 buffer_append_string(filter, userdn);
689 } else { /*(assume "memberUid"; consider validating in SETDEFAULTS_FUNC)*/
690 mod_authn_append_ldap_filter_escape(filter, username);
691 }
692 buffer_append_char(filter, ')');
693
694 plugin_config_ldap * const ldc = s->ldc;
695 for (size_t i = 0; i < groups->used; ++i) {
696 const char *base = groups->data[i]->key.ptr;
697 LDAPMessage *lm = mod_authn_ldap_search(errh, ldc, base, filter->ptr);
698 if (NULL != lm) {
699 int count = ldap_count_entries(ldc->ldap, lm);
700 ldap_msgfree(lm);
701 if (count > 0) {
702 rc = HANDLER_GO_ON;
703 break;
704 }
705 }
706 }
707
708 buffer_free(filter);
709 return rc;
710 }
711
mod_authn_ldap_basic(request_st * const r,void * p_d,const http_auth_require_t * const require,const buffer * const username,const char * const pw)712 static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t * const require, const buffer * const username, const char * const pw) {
713 plugin_data *p = (plugin_data *)p_d;
714 LDAP *ld;
715 char *dn;
716
717 mod_authn_ldap_patch_config(r, p);
718
719 if (pw[0] == '\0' && !p->conf.auth_ldap_allow_empty_pw)
720 return HANDLER_ERROR;
721
722 const buffer * const template = p->conf.auth_ldap_filter;
723 if (NULL == template)
724 return HANDLER_ERROR;
725
726 log_error_st * const errh = r->conf.errh;
727
728 /* build filter to get DN for uid = username */
729 buffer * const ldap_filter = &p->ldap_filter;
730 buffer_clear(ldap_filter);
731 if (*template->ptr == ',') {
732 /* special-case filter template beginning with ',' to be explicit DN */
733 buffer_append_string_len(ldap_filter, CONST_STR_LEN("uid="));
734 mod_authn_append_ldap_dn_escape(ldap_filter, username);
735 buffer_append_string_buffer(ldap_filter, template);
736 dn = ldap_filter->ptr;
737 }
738 else {
739 for (const char *b = template->ptr, *d; *b; b = d+1) {
740 if (NULL != (d = strchr(b, '?'))) {
741 buffer_append_string_len(ldap_filter, b, (size_t)(d - b));
742 mod_authn_append_ldap_filter_escape(ldap_filter, username);
743 }
744 else {
745 d = template->ptr + buffer_clen(template);
746 buffer_append_string_len(ldap_filter, b, (size_t)(d - b));
747 break;
748 }
749 }
750
751 /* ldap_search for DN (synchronous; blocking) */
752 dn = mod_authn_ldap_get_dn(errh, p->conf.ldc,
753 p->conf.auth_ldap_basedn, ldap_filter->ptr);
754 if (NULL == dn) return HANDLER_ERROR;
755 }
756
757 /*(Check ldc here rather than further up to preserve historical behavior
758 * where p->conf.ldc above (was p->anon_conf above) is set of directives in
759 * same context as auth_ldap_hostname. Preference: admin intentions are
760 * clearer if directives are always together in a set in same context)*/
761
762 plugin_config_ldap * const ldc_base = p->conf.ldc;
763 plugin_config_ldap ldc_custom;
764
765 if ( p->conf.ldc->auth_ldap_starttls != p->conf.auth_ldap_starttls
766 || p->conf.ldc->auth_ldap_binddn != p->conf.auth_ldap_binddn
767 || p->conf.ldc->auth_ldap_bindpw != p->conf.auth_ldap_bindpw
768 || p->conf.ldc->auth_ldap_cafile != p->conf.auth_ldap_cafile ) {
769 ldc_custom.ldap = NULL;
770 ldc_custom.errh = errh;
771 ldc_custom.auth_ldap_hostname = ldc_base->auth_ldap_hostname;
772 ldc_custom.auth_ldap_starttls = p->conf.auth_ldap_starttls;
773 ldc_custom.auth_ldap_binddn = p->conf.auth_ldap_binddn;
774 ldc_custom.auth_ldap_bindpw = p->conf.auth_ldap_bindpw;
775 ldc_custom.auth_ldap_cafile = p->conf.auth_ldap_cafile;
776 ldc_custom.auth_ldap_timeout= ldc_base->auth_ldap_timeout;
777 p->conf.ldc = &ldc_custom;
778 }
779
780 handler_t rc = HANDLER_ERROR;
781 do {
782 /* auth against LDAP server (synchronous; blocking) */
783
784 ld = mod_authn_ldap_host_init(errh, p->conf.ldc);
785 if (NULL == ld)
786 break;
787
788 /* Disable referral tracking; target user should be in provided scope */
789 int ret = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
790 if (LDAP_OPT_SUCCESS != ret) {
791 mod_authn_ldap_err(errh,__FILE__,__LINE__,"ldap_set_option()",ret);
792 break;
793 }
794
795 if (LDAP_SUCCESS != mod_authn_ldap_bind(errh, ld, dn, pw))
796 break;
797
798 ldap_unbind_ext_s(ld, NULL, NULL); /* disconnect */
799 ld = NULL;
800
801 if (http_auth_match_rules(require, username->ptr, NULL, NULL)) {
802 rc = HANDLER_GO_ON; /* access granted */
803 }
804 else if (require->group.used) {
805 /*(must not re-use ldap_filter, since it might be used for dn)*/
806 rc = mod_authn_ldap_memberOf(errh,&p->conf,require,username,dn);
807 }
808 } while (0);
809
810 if (NULL != ld) ldap_destroy(ld);
811 if (ldc_base != p->conf.ldc && NULL != p->conf.ldc->ldap)
812 ldap_unbind_ext_s(p->conf.ldc->ldap, NULL, NULL);
813 if (dn != ldap_filter->ptr) ldap_memfree(dn);
814 return rc;
815 }
816
817
818 __attribute_cold__
819 int mod_authn_ldap_plugin_init(plugin *p);
mod_authn_ldap_plugin_init(plugin * p)820 int mod_authn_ldap_plugin_init(plugin *p) {
821 p->version = LIGHTTPD_VERSION_ID;
822 p->name = "authn_ldap";
823 p->init = mod_authn_ldap_init;
824 p->set_defaults = mod_authn_ldap_set_defaults;
825 p->cleanup = mod_authn_ldap_free;
826
827 return 0;
828 }
829