Commit | Line | Data |
---|---|---|
994a09e9 | 1 | /* $Cambridge: exim/src/src/lookups/ldap.c,v 1.4 2004/11/17 16:31:45 ph10 Exp $ */ |
0756eb3c PH |
2 | |
3 | /************************************************* | |
4 | * Exim - an Internet mail transport agent * | |
5 | *************************************************/ | |
6 | ||
7 | /* Copyright (c) University of Cambridge 1995 - 2004 */ | |
8 | /* See the file NOTICE for conditions of use and distribution. */ | |
9 | ||
10 | /* Many thanks to Stuart Lynne for contributing the original code for this | |
11 | driver. Further contibutions from Michael Haardt, Brian Candler, Barry | |
12 | Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for | |
13 | researching how to handle the different kinds of error. */ | |
14 | ||
15 | ||
16 | #include "../exim.h" | |
17 | #include "lf_functions.h" | |
18 | #include "ldap.h" | |
19 | ||
20 | ||
21 | /* We can't just compile this code and allow the library mechanism to omit the | |
22 | functions if they are not wanted, because we need to have the LDAP headers | |
23 | available for compiling. Therefore, compile these functions only if LOOKUP_LDAP | |
24 | is defined. However, some compilers don't like compiling empty modules, so keep | |
25 | them happy with a dummy when skipping the rest. Make it reference itself to | |
26 | stop picky compilers complaining that it is unused, and put in a dummy argument | |
27 | to stop even pickier compilers complaining about infinite loops. */ | |
28 | ||
29 | #ifndef LOOKUP_LDAP | |
30 | static void dummy(int x) { dummy(x-1); } | |
31 | #else | |
32 | ||
33 | ||
34 | /* Include LDAP headers */ | |
35 | ||
36 | #include <lber.h> | |
37 | #include <ldap.h> | |
38 | ||
39 | ||
40 | /* Annoyingly, the different LDAP libraries handle errors in different ways, | |
41 | and some other things too. There doesn't seem to be an automatic way of | |
42 | distinguishing between them. Local/Makefile should contain a setting of | |
43 | LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the | |
44 | different kinds. Those that matter are: | |
45 | ||
46 | LDAP_LIB_NETSCAPE | |
47 | LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7 | |
48 | LDAP_LIB_OPENLDAP2 | |
49 | ||
50 | These others may be defined, but are in fact the default, so are not tested: | |
51 | ||
52 | LDAP_LIB_UMICHIGAN | |
53 | LDAP_LIB_OPENLDAP1 | |
54 | */ | |
55 | ||
56 | #if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS) | |
57 | #define LDAP_LIB_SOLARIS | |
58 | #endif | |
59 | ||
60 | ||
61 | /* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */ | |
62 | ||
63 | #ifndef LDAP_NO_LIMIT | |
64 | #define LDAP_NO_LIMIT 0 | |
65 | #endif | |
66 | ||
67 | ||
68 | /* Just in case LDAP_DEREF_NEVER is not defined */ | |
69 | ||
70 | #ifndef LDAP_DEREF_NEVER | |
71 | #define LDAP_DEREF_NEVER 0 | |
72 | #endif | |
73 | ||
74 | ||
0756eb3c PH |
75 | /* Four types of LDAP search are implemented */ |
76 | ||
77 | #define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */ | |
78 | #define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */ | |
79 | #define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */ | |
80 | #define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */ | |
81 | ||
82 | /* In all 4 cases, the DN is left in $ldap_dn (which post-dates the | |
83 | SEARCH_LDAP_DN lookup). */ | |
84 | ||
85 | ||
86 | /* Structure and anchor for caching connections. */ | |
87 | ||
88 | typedef struct ldap_connection { | |
89 | struct ldap_connection *next; | |
90 | uschar *host; | |
91 | uschar *user; | |
92 | uschar *password; | |
93 | BOOL bound; | |
94 | int port; | |
95 | LDAP *ld; | |
96 | } LDAP_CONNECTION; | |
97 | ||
98 | static LDAP_CONNECTION *ldap_connections = NULL; | |
99 | ||
100 | ||
101 | ||
102 | /************************************************* | |
103 | * Internal search function * | |
104 | *************************************************/ | |
105 | ||
106 | /* This is the function that actually does the work. It is called (indirectly | |
107 | via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(), | |
108 | and eldapm_find(), with a difference in the "search_type" argument. | |
109 | ||
110 | The case of eldapauth_find() is special in that all it does is do | |
111 | authentication, returning OK or FAIL as appropriate. This isn't used as a | |
112 | lookup. Instead, it is called from expand.c as an expansion condition test. | |
113 | ||
114 | The DN from a successful lookup is placed in $ldap_dn. This feature postdates | |
115 | the provision of the SEARCH_LDAP_DN facility for returning just the DN as the | |
116 | data. | |
117 | ||
118 | Arguments: | |
119 | ldap_url the URL to be looked up | |
120 | server server host name, when URL contains none | |
121 | s_port server port, used when URL contains no name | |
122 | search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries | |
123 | SEARCH_LDAP_SINGLE allows values from one entry only | |
124 | SEARCH_LDAP_DN gets the DN from one entry | |
125 | res set to point at the result (not used for ldapauth) | |
126 | errmsg set to point a message if result is not OK | |
127 | defer_break set TRUE if no more servers to be tried after a DEFER | |
128 | user user name for authentication, or NULL | |
129 | password password for authentication, or NULL | |
130 | sizelimit max number of entries returned, or 0 for no limit | |
131 | timelimit max time to wait, or 0 for no limit | |
d00328e2 | 132 | tcplimit max time for network activity, e.g. connect, or 0 for OS default |
0756eb3c PH |
133 | deference the dereference option, which is one of |
134 | LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS} | |
135 | ||
136 | Returns: OK or FAIL or DEFER | |
137 | FAIL is given only if a lookup was performed successfully, but | |
138 | returned no data. | |
139 | */ | |
140 | ||
141 | static int | |
142 | perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type, | |
143 | uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password, | |
144 | int sizelimit, int timelimit, int tcplimit, int dereference) | |
145 | { | |
146 | LDAPURLDesc *ludp = NULL; | |
147 | LDAPMessage *result = NULL; | |
148 | BerElement *ber; | |
149 | LDAP_CONNECTION *lcp; | |
150 | ||
151 | struct timeval timeout; | |
152 | struct timeval *timeoutptr = NULL; | |
153 | ||
154 | uschar *attr; | |
155 | uschar **attrp; | |
156 | uschar *data = NULL; | |
157 | uschar *dn = NULL; | |
158 | uschar *host; | |
159 | uschar **values; | |
160 | uschar **firstval; | |
161 | uschar porttext[16]; | |
162 | ||
163 | uschar *error1 = NULL; /* string representation of errcode (static) */ | |
164 | uschar *error2 = NULL; /* error message from the server */ | |
165 | uschar *matched = NULL; /* partially matched DN */ | |
166 | ||
167 | int attr_count = 0; | |
168 | int error_yield = DEFER; | |
169 | int msgid; | |
170 | int rc; | |
171 | int port; | |
172 | int ptr = 0; | |
173 | int rescount = 0; | |
174 | int size = 0; | |
175 | BOOL attribute_found = FALSE; | |
176 | BOOL ldapi = FALSE; | |
177 | ||
178 | DEBUG(D_lookup) | |
179 | debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d " | |
180 | "sizelimit=%d timelimit=%d tcplimit=%d\n", | |
181 | (search_type == SEARCH_LDAP_MULTIPLE)? "m" : | |
182 | (search_type == SEARCH_LDAP_DN)? "dn" : | |
183 | (search_type == SEARCH_LDAP_AUTH)? "auth" : "", | |
184 | ldap_url, server, s_port, sizelimit, timelimit, tcplimit); | |
185 | ||
186 | /* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP | |
187 | library that is in use doesn't recognize, say, "ldapi", it will barf here. */ | |
188 | ||
189 | if (!ldap_is_ldap_url(CS ldap_url)) | |
190 | { | |
191 | *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n", | |
192 | ldap_url); | |
193 | goto RETURN_ERROR_BREAK; | |
194 | } | |
195 | ||
196 | /* Parse the URL */ | |
197 | ||
198 | if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0) | |
199 | { | |
200 | *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc, | |
201 | ldap_url); | |
202 | goto RETURN_ERROR_BREAK; | |
203 | } | |
204 | ||
205 | /* If the host name is empty, take it from the separate argument, if one is | |
206 | given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but | |
207 | expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP | |
208 | 2.0.11 this has changed (it uses NULL). */ | |
209 | ||
210 | if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL) | |
211 | { | |
212 | host = server; | |
213 | port = s_port; | |
214 | } | |
215 | else | |
216 | { | |
217 | host = US ludp->lud_host; | |
218 | if (host != NULL && host[0] == 0) host = NULL; | |
219 | port = ludp->lud_port; | |
220 | } | |
221 | ||
222 | DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n", | |
223 | host, port); | |
224 | ||
225 | if (port == 0) port = LDAP_PORT; /* Default if none given */ | |
226 | sprintf(CS porttext, ":%d", port); /* For messages */ | |
227 | ||
228 | /* If the "host name" is actually a path, we are going to connect using a Unix | |
229 | socket, regardless of whether "ldapi" was actually specified or not. This means | |
230 | that a Unix socket can be declared in eldap_default_servers, and "traditional" | |
231 | LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden). | |
232 | The path may start with "/" or it may already be escaped as "%2F" if it was | |
233 | actually declared that way in eldap_default_servers. (I did it that way the | |
234 | first time.) If the host name is not a path, the use of "ldapi" causes an | |
235 | error, except in the default case. (But lud_scheme doesn't seem to exist in | |
236 | older libraries.) */ | |
237 | ||
238 | if (host != NULL) | |
239 | { | |
240 | if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0)) | |
241 | { | |
242 | ldapi = TRUE; | |
243 | porttext[0] = 0; /* Remove port from messages */ | |
244 | } | |
245 | ||
246 | #if defined LDAP_LIB_OPENLDAP2 | |
247 | else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0) | |
248 | { | |
249 | *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)", | |
250 | host); | |
251 | goto RETURN_ERROR; | |
252 | } | |
253 | #endif | |
254 | } | |
255 | ||
256 | /* Count the attributes; we need this later to tell us how to format results */ | |
257 | ||
258 | for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++) | |
259 | attr_count++; | |
260 | ||
261 | /* See if we can find a cached connection to this host. The port is not | |
262 | relevant for ldapi. The host name pointer is set to NULL if no host was given | |
263 | (implying the library default), rather than to the empty string. Note that in | |
264 | this case, there is no difference between ldap and ldapi. */ | |
265 | ||
266 | for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next) | |
267 | { | |
268 | if ((host == NULL) != (lcp->host == NULL) || | |
269 | (host != NULL && strcmpic(lcp->host, host) != 0)) | |
270 | continue; | |
271 | if (ldapi || port == lcp->port) break; | |
272 | } | |
273 | ||
d00328e2 PH |
274 | /* Use this network timeout in any requests. */ |
275 | ||
276 | if (tcplimit > 0) | |
277 | { | |
278 | timeout.tv_sec = tcplimit; | |
279 | timeout.tv_usec = 0; | |
280 | timeoutptr = &timeout; | |
281 | } | |
282 | ||
0756eb3c PH |
283 | /* If no cached connection found, we must open a connection to the server. If |
284 | the server name is actually an absolute path, we set ldapi=TRUE above. This | |
285 | requests connection via a Unix socket. However, as far as I know, only OpenLDAP | |
286 | supports the use of sockets, and the use of ldap_initialize(). */ | |
287 | ||
288 | if (lcp == NULL) | |
289 | { | |
290 | LDAP *ld; | |
291 | ||
292 | ||
293 | /* --------------------------- OpenLDAP ------------------------ */ | |
294 | ||
295 | /* There seems to be a preference under OpenLDAP for ldap_initialize() | |
296 | instead of ldap_init(), though I have as yet been unable to find | |
297 | documentation that says this. (OpenLDAP documentation is sparse to | |
298 | non-existent). So we handle OpenLDAP differently here. Also, support for | |
299 | ldapi seems to be OpenLDAP-only at present. */ | |
300 | ||
301 | #ifdef LDAP_LIB_OPENLDAP2 | |
302 | ||
303 | /* We now need an empty string for the default host. Get some store in which | |
304 | to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger | |
305 | than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger | |
306 | than the host name + "ldaps:///" plus : and a port number, say 20 + the | |
307 | length of the host name. What we get should accommodate both, easily. */ | |
308 | ||
309 | uschar *shost = (host == NULL)? US"" : host; | |
310 | uschar *init_url = store_get(20 + 3 * Ustrlen(shost)); | |
311 | uschar *init_ptr; | |
312 | ||
313 | /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to | |
314 | contain the path name, with slashes escaped as %2F. */ | |
315 | ||
316 | if (ldapi) | |
317 | { | |
318 | int ch; | |
319 | init_ptr = init_url + 8; | |
320 | Ustrcpy(init_url, "ldapi://"); | |
321 | while ((ch = *shost++) != 0) | |
322 | { | |
323 | if (ch == '/') | |
324 | { | |
325 | Ustrncpy(init_ptr, "%2F", 3); | |
326 | init_ptr += 3; | |
327 | } | |
328 | else *init_ptr++ = ch; | |
329 | } | |
330 | *init_ptr = 0; | |
331 | } | |
332 | ||
333 | /* This is not an ldapi call. Just build a URI with the protocol type, host | |
334 | name, and port. */ | |
335 | ||
336 | else | |
337 | { | |
338 | init_ptr = Ustrchr(ldap_url, '/'); | |
339 | Ustrncpy(init_url, ldap_url, init_ptr - ldap_url); | |
340 | init_ptr = init_url + (init_ptr - ldap_url); | |
341 | sprintf(CS init_ptr, "//%s:%d/", shost, port); | |
342 | } | |
343 | ||
344 | /* Call ldap_initialize() and check the result */ | |
345 | ||
346 | DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url); | |
347 | rc = ldap_initialize(&ld, CS init_url); | |
348 | if (rc != LDAP_SUCCESS) | |
349 | { | |
350 | *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n", | |
351 | rc, init_url); | |
352 | goto RETURN_ERROR; | |
353 | } | |
354 | store_reset(init_url); /* Might as well save memory when we can */ | |
355 | ||
356 | ||
357 | /* ------------------------- Not OpenLDAP ---------------------- */ | |
358 | ||
359 | /* For libraries other than OpenLDAP, use ldap_init(). */ | |
360 | ||
361 | #else /* LDAP_LIB_OPENLDAP2 */ | |
362 | ld = ldap_init(CS host, port); | |
363 | #endif /* LDAP_LIB_OPENLDAP2 */ | |
364 | ||
365 | /* -------------------------------------------------------------- */ | |
366 | ||
367 | ||
368 | /* Handle failure to initialize */ | |
369 | ||
370 | if (ld == NULL) | |
371 | { | |
372 | *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s", | |
373 | host, porttext, strerror(errno)); | |
374 | goto RETURN_ERROR; | |
375 | } | |
376 | ||
377 | /* Set the TCP connect time limit if available. This is something that is | |
378 | in Netscape SDK v4.1; I don't know about other libraries. */ | |
379 | ||
380 | #ifdef LDAP_X_OPT_CONNECT_TIMEOUT | |
7c7ad977 PH |
381 | if (tcplimit > 0) |
382 | { | |
994a09e9 | 383 | int timeout1000 = tcplimit*1000; |
7c7ad977 PH |
384 | ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000); |
385 | } | |
994a09e9 PH |
386 | else |
387 | { | |
388 | int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT; | |
389 | ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)¬imeout); | |
390 | } | |
0756eb3c PH |
391 | #endif |
392 | ||
7c7ad977 PH |
393 | /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */ |
394 | ||
395 | #ifdef LDAP_OPT_NETWORK_TIMEOUT | |
396 | if (tcplimit > 0) | |
397 | ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr); | |
398 | #endif | |
399 | ||
0756eb3c PH |
400 | /* I could not get TLS to work until I set the version to 3. That version |
401 | seems to be the default nowadays. The RFC is dated 1997, so I would hope | |
402 | that all the LDAP libraries support it. Therefore, if eldap_version hasn't | |
403 | been set, go for v3 if we can. */ | |
404 | ||
405 | if (eldap_version < 0) | |
406 | { | |
407 | #ifdef LDAP_VERSION3 | |
408 | eldap_version = LDAP_VERSION3; | |
409 | #else | |
410 | eldap_version = 2; | |
411 | #endif | |
412 | } | |
413 | ||
414 | #ifdef LDAP_OPT_PROTOCOL_VERSION | |
415 | ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version); | |
416 | #endif | |
417 | ||
418 | DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n", | |
419 | eldap_version, host, porttext); | |
420 | ||
421 | /* If not using ldapi and TLS is available, set appropriate TLS options: hard | |
422 | for "ldaps" and soft otherwise. */ | |
423 | ||
424 | #ifdef LDAP_OPT_X_TLS | |
425 | if (!ldapi) | |
426 | { | |
427 | int tls_option; | |
428 | if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0) | |
429 | { | |
430 | tls_option = LDAP_OPT_X_TLS_HARD; | |
431 | DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n"); | |
432 | } | |
433 | else | |
434 | { | |
435 | tls_option = LDAP_OPT_X_TLS_TRY; | |
436 | DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n"); | |
437 | } | |
438 | ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); | |
439 | } | |
440 | #endif /* LDAP_OPT_X_TLS */ | |
441 | ||
442 | /* Now add this connection to the chain of cached connections */ | |
443 | ||
444 | lcp = store_get(sizeof(LDAP_CONNECTION)); | |
445 | lcp->host = (host == NULL)? NULL : string_copy(host); | |
446 | lcp->bound = FALSE; | |
447 | lcp->user = NULL; | |
448 | lcp->password = NULL; | |
449 | lcp->port = port; | |
450 | lcp->ld = ld; | |
451 | lcp->next = ldap_connections; | |
452 | ldap_connections = lcp; | |
453 | } | |
454 | ||
455 | /* Found cached connection */ | |
456 | ||
457 | else | |
458 | { | |
459 | DEBUG(D_lookup) | |
460 | debug_printf("re-using cached connection to LDAP server %s%s\n", | |
461 | host, porttext); | |
462 | } | |
463 | ||
464 | /* Bind with the user/password supplied, or an anonymous bind if these values | |
465 | are NULL, unless a cached connection is already bound with the same values. */ | |
466 | ||
467 | if (!lcp->bound || | |
468 | (lcp->user == NULL && user != NULL) || | |
469 | (lcp->user != NULL && user == NULL) || | |
470 | (lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) || | |
471 | (lcp->password == NULL && password != NULL) || | |
472 | (lcp->password != NULL && password == NULL) || | |
473 | (lcp->password != NULL && password != NULL && | |
474 | Ustrcmp(lcp->password, password) != 0)) | |
475 | { | |
476 | DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", | |
477 | (lcp->bound)? "re-" : "", user, password); | |
7c7ad977 PH |
478 | if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) |
479 | == -1) | |
0756eb3c | 480 | { |
7c7ad977 | 481 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " |
d00328e2 | 482 | "%s%s - ldap_bind() returned -1", host, porttext); |
7c7ad977 PH |
483 | goto RETURN_ERROR; |
484 | } | |
0756eb3c | 485 | |
7c7ad977 PH |
486 | if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0) |
487 | { | |
488 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " | |
489 | "%s%s - LDAP error: %s", host, porttext, | |
490 | rc == -1 ? "result retrieval failed" : "timeout" ); | |
491 | result = NULL; | |
492 | goto RETURN_ERROR; | |
493 | } | |
494 | ||
495 | rc = ldap_result2error( lcp->ld, result, 0 ); | |
496 | ||
497 | /* Invalid credentials when just checking credentials returns FAIL. This | |
498 | stops any further servers being tried. */ | |
0756eb3c | 499 | |
7c7ad977 PH |
500 | if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS) |
501 | { | |
502 | DEBUG(D_lookup) | |
503 | debug_printf("Invalid credentials: ldapauth returns FAIL\n"); | |
504 | error_yield = FAIL; | |
505 | goto RETURN_ERROR_NOMSG; | |
506 | } | |
0756eb3c | 507 | |
7c7ad977 PH |
508 | /* Otherwise we have a problem that doesn't stop further servers from being |
509 | tried. */ | |
510 | ||
511 | if (rc != LDAP_SUCCESS) | |
512 | { | |
0756eb3c PH |
513 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " |
514 | "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc)); | |
515 | goto RETURN_ERROR; | |
516 | } | |
517 | ||
518 | /* Successful bind */ | |
519 | ||
520 | lcp->bound = TRUE; | |
521 | lcp->user = (user == NULL)? NULL : string_copy(user); | |
522 | lcp->password = (password == NULL)? NULL : string_copy(password); | |
7c7ad977 PH |
523 | |
524 | ldap_msgfree(result); | |
525 | result = NULL; | |
0756eb3c PH |
526 | } |
527 | ||
528 | /* If we are just checking credentials, return OK. */ | |
529 | ||
530 | if (search_type == SEARCH_LDAP_AUTH) | |
531 | { | |
532 | DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n"); | |
533 | goto RETURN_OK; | |
534 | } | |
535 | ||
536 | /* Before doing the search, set the time and size limits (if given). Here again | |
537 | the different implementations of LDAP have chosen to do things differently. */ | |
538 | ||
539 | #if defined(LDAP_OPT_SIZELIMIT) | |
540 | ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit); | |
541 | ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit); | |
542 | #else | |
543 | lcp->ld->ld_sizelimit = sizelimit; | |
544 | lcp->ld->ld_timelimit = timelimit; | |
545 | #endif | |
546 | ||
547 | /* Similarly for dereferencing aliases. Don't know if this is possible on | |
548 | an LDAP library without LDAP_OPT_DEREF. */ | |
549 | ||
550 | #if defined(LDAP_OPT_DEREF) | |
551 | ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference); | |
552 | #endif | |
553 | ||
554 | /* Start the search on the server. */ | |
555 | ||
556 | DEBUG(D_lookup) debug_printf("Start search\n"); | |
557 | ||
558 | msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, | |
559 | ludp->lud_attrs, 0); | |
560 | ||
561 | if (msgid == -1) | |
562 | { | |
563 | *errmsg = string_sprintf("ldap search initiation failed"); | |
564 | goto RETURN_ERROR; | |
565 | } | |
566 | ||
567 | /* Loop to pick up results as they come in, setting a timeout if one was | |
568 | given. */ | |
569 | ||
0756eb3c PH |
570 | while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) == |
571 | LDAP_RES_SEARCH_ENTRY) | |
572 | { | |
573 | LDAPMessage *e; | |
574 | ||
575 | DEBUG(D_lookup) debug_printf("ldap_result loop\n"); | |
576 | ||
577 | for(e = ldap_first_entry(lcp->ld, result); | |
578 | e != NULL; | |
579 | e = ldap_next_entry(lcp->ld, e)) | |
580 | { | |
581 | uschar *new_dn; | |
582 | BOOL insert_space = FALSE; | |
583 | ||
584 | DEBUG(D_lookup) debug_printf("LDAP entry loop\n"); | |
585 | ||
586 | rescount++; /* Count results */ | |
587 | ||
588 | /* Results for multiple entries values are separated by newlines. */ | |
589 | ||
590 | if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1); | |
591 | ||
592 | /* Get the DN from the last result. */ | |
593 | ||
594 | new_dn = US ldap_get_dn(lcp->ld, e); | |
595 | if (new_dn != NULL) | |
596 | { | |
597 | if (dn != NULL) | |
598 | { | |
599 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 | |
600 | ldap_memfree(dn); | |
601 | #else /* OPENLDAP 1, UMich, Solaris */ | |
602 | free(dn); | |
603 | #endif | |
604 | } | |
605 | /* Save for later */ | |
606 | dn = new_dn; | |
607 | } | |
608 | ||
609 | /* If the data we want is actually the DN rather than any attribute values, | |
610 | (an "ldapdn" search) add it to the data string. If there are multiple | |
611 | entries, the DNs will be concatenated, but we test for this case below, as | |
612 | for SEARCH_LDAP_SINGLE, and give an error. */ | |
613 | ||
614 | if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */ | |
615 | { /* condition, because of the else */ | |
616 | if (new_dn != NULL) /* below, that's for the first only */ | |
617 | { | |
618 | data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn)); | |
619 | data[ptr] = 0; | |
620 | attribute_found = TRUE; | |
621 | } | |
622 | } | |
623 | ||
624 | /* Otherwise, loop through the entry, grabbing attribute values. If there's | |
625 | only one attribute being retrieved, no attribute name is given, and the | |
626 | result is not quoted. Multiple values are separated by (comma, space). | |
627 | If more than one attribute is being retrieved, the data is given as a | |
628 | sequence of name=value pairs, with the value always in quotes. If there are | |
629 | multiple values, they are given within the quotes, comma separated. */ | |
630 | ||
631 | else for (attr = US ldap_first_attribute(lcp->ld, e, &ber); | |
632 | attr != NULL; | |
633 | attr = US ldap_next_attribute(lcp->ld, e, ber)) | |
634 | { | |
635 | if (attr[0] != 0) | |
636 | { | |
637 | /* Get array of values for this attribute. */ | |
638 | ||
639 | if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr)) | |
640 | != NULL) | |
641 | { | |
642 | if (attr_count != 1) | |
643 | { | |
644 | if (insert_space) | |
645 | data = string_cat(data, &size, &ptr, US" ", 1); | |
646 | else | |
647 | insert_space = TRUE; | |
648 | data = string_cat(data, &size, &ptr, attr, Ustrlen(attr)); | |
649 | data = string_cat(data, &size, &ptr, US"=\"", 2); | |
650 | } | |
651 | ||
652 | while (*values != NULL) | |
653 | { | |
654 | uschar *value = *values; | |
655 | int len = Ustrlen(value); | |
656 | ||
657 | DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value); | |
658 | ||
659 | if (values != firstval) | |
660 | data = string_cat(data, &size, &ptr, US", ", 2); | |
661 | ||
662 | /* For multiple attributes, the data is in quotes. We must escape | |
663 | internal quotes, backslashes, newlines. */ | |
664 | ||
665 | if (attr_count != 1) | |
666 | { | |
667 | int j; | |
668 | for (j = 0; j < len; j++) | |
669 | { | |
670 | if (value[j] == '\n') | |
671 | data = string_cat(data, &size, &ptr, US"\\n", 2); | |
672 | else | |
673 | { | |
674 | if (value[j] == '\"' || value[j] == '\\') | |
675 | data = string_cat(data, &size, &ptr, US"\\", 1); | |
676 | data = string_cat(data, &size, &ptr, value+j, 1); | |
677 | } | |
678 | } | |
679 | } | |
680 | ||
681 | /* For single attributes, copy the value verbatim */ | |
682 | ||
683 | else data = string_cat(data, &size, &ptr, value, len); | |
684 | ||
685 | /* Move on to the next value */ | |
686 | ||
687 | values++; | |
688 | attribute_found = TRUE; | |
689 | } | |
690 | ||
691 | /* Closing quote at the end of the data for a named attribute. */ | |
692 | ||
693 | if (attr_count != 1) | |
694 | data = string_cat(data, &size, &ptr, US"\"", 1); | |
695 | ||
696 | /* Free the values */ | |
697 | ||
698 | ldap_value_free(CSS firstval); | |
699 | } | |
700 | } | |
701 | ||
702 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 | |
703 | ||
704 | /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need | |
705 | to be freed. UMich LDAP stores them in static storage and does not require | |
706 | this. */ | |
707 | ||
708 | ldap_memfree(attr); | |
709 | #endif | |
710 | } /* End "for" loop for extracting attributes from an entry */ | |
711 | } /* End "for" loop for extracting entries from a result */ | |
712 | ||
713 | /* Free the result */ | |
714 | ||
715 | ldap_msgfree(result); | |
716 | result = NULL; | |
717 | } /* End "while" loop for multiple results */ | |
718 | ||
719 | /* Terminate the dynamic string that we have built and reclaim unused store */ | |
720 | ||
721 | if (data != NULL) | |
722 | { | |
723 | data[ptr] = 0; | |
724 | store_reset(data + ptr + 1); | |
725 | } | |
726 | ||
727 | /* Copy the last dn into eldap_dn */ | |
728 | ||
729 | if (dn != NULL) | |
730 | { | |
731 | eldap_dn = string_copy(dn); | |
732 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 | |
733 | ldap_memfree(dn); | |
734 | #else /* OPENLDAP 1, UMich, Solaris */ | |
735 | free(dn); | |
736 | #endif | |
737 | } | |
738 | ||
739 | DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc); | |
740 | ||
741 | if (rc == 0) | |
742 | { | |
743 | *errmsg = US"ldap_result timed out"; | |
744 | goto RETURN_ERROR; | |
745 | } | |
746 | ||
747 | /* A return code of -1 seems to mean "ldap_result failed internally or couldn't | |
748 | provide you with a message". Other error states seem to exist where | |
749 | ldap_result() didn't give us any message from the server at all, leaving result | |
750 | set to NULL. Apparently, "the error parameters of the LDAP session handle will | |
751 | be set accordingly". That's the best we can do to retrieve an error status; we | |
752 | can't use functions like ldap_result2error because they parse a message from | |
753 | the server, which we didn't get. | |
754 | ||
755 | Annoyingly, the different implementations of LDAP have gone for different | |
756 | methods of handling error codes and generating error messages. */ | |
757 | ||
758 | if (rc == -1 || result == NULL) | |
759 | { | |
760 | int err; | |
761 | DEBUG(D_lookup) debug_printf("ldap_result failed\n"); | |
762 | ||
763 | #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2 | |
764 | ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err); | |
765 | *errmsg = string_sprintf("ldap_result failed: %d, %s", | |
766 | err, ldap_err2string(err)); | |
767 | ||
768 | #elif defined LDAP_LIB_NETSCAPE | |
769 | /* Dubious (surely 'matched' is spurious here?) */ | |
770 | (void)ldap_get_lderrno(lcp->ld, &matched, &error1); | |
771 | *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched); | |
772 | ||
773 | #else /* UMich LDAP aka OpenLDAP 1.x */ | |
774 | *errmsg = string_sprintf("ldap_result failed: %d, %s", | |
775 | lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno)); | |
776 | #endif | |
777 | ||
778 | goto RETURN_ERROR; | |
779 | } | |
780 | ||
781 | /* A return code that isn't -1 doesn't necessarily mean there were no problems | |
782 | with the search. The message must be an LDAP_RES_SEARCH_RESULT or else it's | |
783 | something we can't handle. */ | |
784 | ||
785 | if (rc != LDAP_RES_SEARCH_RESULT) | |
786 | { | |
787 | *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc); | |
788 | goto RETURN_ERROR; | |
789 | } | |
790 | ||
791 | /* We have a result message from the server. This doesn't yet mean all is well. | |
792 | We need to parse the message to find out exactly what's happened. */ | |
793 | ||
794 | #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2 | |
795 | if (ldap_parse_result(lcp->ld, result, &rc, CSS &matched, CSS &error2, NULL, | |
796 | NULL, 0) < 0) | |
797 | { | |
798 | *errmsg = US"ldap_parse_result failed"; | |
799 | goto RETURN_ERROR; | |
800 | } | |
801 | error1 = US ldap_err2string(rc); | |
802 | ||
803 | #elif defined LDAP_LIB_NETSCAPE | |
804 | /* Dubious (it doesn't reference 'result' at all!) */ | |
805 | rc = ldap_get_lderrno(lcp->ld, &matched, &error1); | |
806 | ||
807 | #else /* UMich LDAP aka OpenLDAP 1.x */ | |
808 | rc = ldap_result2error(lcp->ld, result, 0); | |
809 | error1 = ldap_err2string(rc); | |
810 | error2 = lcp->ld->ld_error; | |
811 | matched = lcp->ld->ld_matched; | |
812 | #endif | |
813 | ||
814 | /* Process the status as follows: | |
815 | ||
816 | (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the | |
817 | truncated result list. | |
818 | ||
819 | (2) The range of errors defined by LDAP_NAME_ERROR generally mean "that | |
820 | object does not, or cannot, exist in the database". For those cases we | |
821 | fail the lookup. | |
822 | ||
823 | (3) All other non-successes here are treated as some kind of problem with | |
824 | the lookup, so return DEFER (which is the default in error_yield). | |
825 | */ | |
826 | ||
827 | DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n", | |
828 | rc, ldap_err2string(rc)); | |
829 | ||
830 | if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED) | |
831 | { | |
832 | *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s", | |
833 | rc, | |
834 | (error1 != NULL)? error1 : US"", | |
835 | (error2 != NULL && error2[0] != 0)? US"/" : US"", | |
836 | (error2 != NULL)? error2 : US"", | |
837 | (matched != NULL && matched[0] != 0)? US"/" : US"", | |
838 | (matched != NULL)? matched : US""); | |
839 | ||
840 | #if defined LDAP_NAME_ERROR | |
841 | if (LDAP_NAME_ERROR(rc)) | |
842 | #elif defined NAME_ERROR /* OPENLDAP1 calls it this */ | |
843 | if (NAME_ERROR(rc)) | |
844 | #else | |
845 | if (rc == LDAP_NO_SUCH_OBJECT) | |
846 | #endif | |
847 | ||
848 | { | |
849 | DEBUG(D_lookup) debug_printf("lookup failure forced\n"); | |
850 | error_yield = FAIL; | |
851 | } | |
852 | goto RETURN_ERROR; | |
853 | } | |
854 | ||
855 | /* The search succeeded. Check if we have too many results */ | |
856 | ||
857 | if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1) | |
858 | { | |
859 | *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned " | |
860 | "(filter not specific enough?)", rescount); | |
861 | goto RETURN_ERROR_BREAK; | |
862 | } | |
863 | ||
864 | /* Check if we have too few (zero) entries */ | |
865 | ||
866 | if (rescount < 1) | |
867 | { | |
868 | *errmsg = string_sprintf("LDAP search: no results"); | |
869 | error_yield = FAIL; | |
870 | goto RETURN_ERROR_BREAK; | |
871 | } | |
872 | ||
873 | /* If an entry was found, but it had no attributes, we behave as if no entries | |
874 | were found, that is, the lookup failed. */ | |
875 | ||
876 | if (!attribute_found) | |
877 | { | |
878 | *errmsg = US"LDAP search: found no attributes"; | |
879 | error_yield = FAIL; | |
880 | goto RETURN_ERROR; | |
881 | } | |
882 | ||
883 | /* Otherwise, it's all worked */ | |
884 | ||
885 | DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data); | |
886 | *res = data; | |
887 | ||
888 | RETURN_OK: | |
889 | if (result != NULL) ldap_msgfree(result); | |
890 | ldap_free_urldesc(ludp); | |
891 | return OK; | |
892 | ||
893 | /* Error returns */ | |
894 | ||
895 | RETURN_ERROR_BREAK: | |
896 | *defer_break = TRUE; | |
897 | ||
898 | RETURN_ERROR: | |
899 | DEBUG(D_lookup) debug_printf("%s\n", *errmsg); | |
900 | ||
901 | RETURN_ERROR_NOMSG: | |
902 | if (result != NULL) ldap_msgfree(result); | |
903 | if (ludp != NULL) ldap_free_urldesc(ludp); | |
904 | ||
905 | #if defined LDAP_LIB_OPENLDAP2 | |
906 | if (error2 != NULL) ldap_memfree(error2); | |
907 | if (matched != NULL) ldap_memfree(matched); | |
908 | #endif | |
909 | ||
910 | return error_yield; | |
911 | } | |
912 | ||
913 | ||
914 | ||
915 | /************************************************* | |
916 | * Internal search control function * | |
917 | *************************************************/ | |
918 | ||
919 | /* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(), | |
920 | and eldapm_find() with a difference in the "search_type" argument. It controls | |
921 | calls to perform_ldap_search() which actually does the work. We call that | |
922 | repeatedly for certain types of defer in the case when the URL contains no host | |
923 | name and eldap_default_servers is set to a list of servers to try. This gives | |
924 | more control than just passing over a list of hosts to ldap_open() because it | |
925 | handles other kinds of defer as well as just a failure to open. Note that the | |
926 | URL is defined to contain either zero or one "hostport" only. | |
927 | ||
928 | Parameter data in addition to the URL can be passed as preceding text in the | |
929 | string, as items of the form XXX=yyy. The URL itself can be detected because it | |
930 | must begin "ldapx://", where x is empty, s, or i. | |
931 | ||
932 | Arguments: | |
933 | ldap_url the URL to be looked up, optionally preceded by other parameter | |
934 | settings | |
935 | search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries | |
936 | SEARCH_LDAP_SINGLE allows values from one entry only | |
937 | SEARCH_LDAP_DN gets the DN from one entry | |
938 | res set to point at the result | |
939 | errmsg set to point a message if result is not OK | |
940 | ||
941 | Returns: OK or FAIL or DEFER | |
942 | */ | |
943 | ||
944 | static int | |
945 | control_ldap_search(uschar *ldap_url, int search_type, uschar **res, | |
946 | uschar **errmsg) | |
947 | { | |
948 | BOOL defer_break = FALSE; | |
949 | int timelimit = LDAP_NO_LIMIT; | |
950 | int sizelimit = LDAP_NO_LIMIT; | |
7c7ad977 | 951 | int tcplimit = 0; |
0756eb3c PH |
952 | int dereference = LDAP_DEREF_NEVER; |
953 | int sep = 0; | |
954 | uschar *url = ldap_url; | |
955 | uschar *p; | |
956 | uschar *user = NULL; | |
957 | uschar *password = NULL; | |
958 | uschar *server, *list; | |
959 | uschar buffer[512]; | |
960 | ||
961 | while (isspace(*url)) url++; | |
962 | ||
963 | /* Until the string begins "ldap", search for the other parameter settings that | |
964 | are recognized. They are of the form NAME=VALUE, with the value being | |
965 | optionally double-quoted. There must still be a space after it, however. No | |
966 | NAME has the value "ldap". */ | |
967 | ||
968 | while (strncmpic(url, US"ldap", 4) != 0) | |
969 | { | |
970 | uschar *name = url; | |
971 | while (*url != 0 && *url != '=') url++; | |
972 | if (*url == '=') | |
973 | { | |
974 | int namelen; | |
975 | uschar *value; | |
976 | namelen = ++url - name; | |
977 | value = string_dequote(&url); | |
978 | if (isspace(*url)) | |
979 | { | |
980 | if (strncmpic(name, US"USER=", namelen) == 0) user = value; | |
981 | else if (strncmpic(name, US"PASS=", namelen) == 0) password = value; | |
982 | else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value); | |
983 | else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value); | |
7c7ad977 PH |
984 | else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value); |
985 | else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value); | |
0756eb3c PH |
986 | |
987 | /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */ | |
988 | ||
989 | #ifdef LDAP_OPT_DEREF | |
990 | else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0) | |
991 | { | |
992 | if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER; | |
993 | else if (strcmpic(value, US"searching") == 0) | |
994 | dereference = LDAP_DEREF_SEARCHING; | |
995 | else if (strcmpic(value, US"finding") == 0) | |
996 | dereference = LDAP_DEREF_FINDING; | |
997 | if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS; | |
998 | } | |
999 | #else | |
1000 | else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0) | |
1001 | { | |
1002 | *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP " | |
1003 | "library - cannot use \"dereference\""); | |
1004 | DEBUG(D_lookup) debug_printf("%s\n", *errmsg); | |
1005 | return DEFER; | |
1006 | } | |
1007 | ||
1008 | #endif | |
1009 | ||
1010 | else | |
1011 | { | |
1012 | *errmsg = | |
1013 | string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL", | |
1014 | namelen, name); | |
1015 | DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg); | |
1016 | return DEFER; | |
1017 | } | |
1018 | while (isspace(*url)) url++; | |
1019 | continue; | |
1020 | } | |
1021 | } | |
1022 | *errmsg = US"malformed parameter setting precedes LDAP URL"; | |
1023 | DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg); | |
1024 | return DEFER; | |
1025 | } | |
1026 | ||
1027 | /* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves, | |
1028 | but it seems that not all behave like this. The DN for the user is often the | |
1029 | result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because | |
1030 | that is needed when the DN is used as a base DN in a query. Sigh. This is all | |
1031 | far too complicated. */ | |
1032 | ||
1033 | if (user != NULL) | |
1034 | { | |
1035 | uschar *s; | |
1036 | uschar *t = user; | |
1037 | for (s = user; *s != 0; s++) | |
1038 | { | |
1039 | int c, d; | |
1040 | if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2])) | |
1041 | { | |
1042 | c = tolower(c); | |
1043 | d = tolower(d); | |
1044 | *t++ = | |
1045 | (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) | | |
1046 | ((d >= 'a')? (10 + d - 'a') : d - '0'); | |
1047 | s += 2; | |
1048 | } | |
1049 | else *t++ = *s; | |
1050 | } | |
1051 | *t = 0; | |
1052 | } | |
1053 | ||
1054 | DEBUG(D_lookup) | |
1055 | debug_printf("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d " | |
1056 | "dereference=%d\n", user, password, sizelimit, timelimit, tcplimit, | |
1057 | dereference); | |
1058 | ||
1059 | /* If the request is just to check authentication, some credentials must | |
1060 | be given. The password must not be empty because LDAP binds with an empty | |
1061 | password are considered anonymous, and will succeed on most installations. */ | |
1062 | ||
1063 | if (search_type == SEARCH_LDAP_AUTH) | |
1064 | { | |
1065 | if (user == NULL || password == NULL) | |
1066 | { | |
1067 | *errmsg = US"ldapauth lookups must specify the username and password"; | |
1068 | return DEFER; | |
1069 | } | |
1070 | if (password[0] == 0) | |
1071 | { | |
1072 | DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns FAIL\n"); | |
1073 | return FAIL; | |
1074 | } | |
1075 | } | |
1076 | ||
1077 | /* Check for valid ldap url starters */ | |
1078 | ||
1079 | p = url + 4; | |
1080 | if (tolower(*p) == 's' || tolower(*p) == 'i') p++; | |
1081 | if (Ustrncmp(p, "://", 3) != 0) | |
1082 | { | |
1083 | *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", " | |
1084 | "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url); | |
1085 | DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg); | |
1086 | return DEFER; | |
1087 | } | |
1088 | ||
1089 | /* No default servers, or URL contains a server name: just one attempt */ | |
1090 | ||
1091 | if (eldap_default_servers == NULL || p[3] != '/') | |
1092 | { | |
1093 | return perform_ldap_search(url, NULL, 0, search_type, res, errmsg, | |
1094 | &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference); | |
1095 | } | |
1096 | ||
1097 | /* Loop through the default servers until OK or FAIL */ | |
1098 | ||
1099 | list = eldap_default_servers; | |
1100 | while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL) | |
1101 | { | |
1102 | int rc; | |
1103 | int port = 0; | |
1104 | uschar *colon = Ustrchr(server, ':'); | |
1105 | if (colon != NULL) | |
1106 | { | |
1107 | *colon = 0; | |
1108 | port = Uatoi(colon+1); | |
1109 | } | |
1110 | rc = perform_ldap_search(url, server, port, search_type, res, errmsg, | |
1111 | &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference); | |
1112 | if (rc != DEFER || defer_break) return rc; | |
1113 | } | |
1114 | ||
1115 | return DEFER; | |
1116 | } | |
1117 | ||
1118 | ||
1119 | ||
1120 | /************************************************* | |
1121 | * Find entry point * | |
1122 | *************************************************/ | |
1123 | ||
1124 | /* See local README for interface description. The different kinds of search | |
1125 | are handled by a common function, with a flag to differentiate between them. | |
1126 | The handle and filename arguments are not used. */ | |
1127 | ||
1128 | int | |
1129 | eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length, | |
1130 | uschar **result, uschar **errmsg, BOOL *do_cache) | |
1131 | { | |
1132 | /* Keep picky compilers happy */ | |
1133 | do_cache = do_cache; | |
1134 | return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg)); | |
1135 | } | |
1136 | ||
1137 | int | |
1138 | eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length, | |
1139 | uschar **result, uschar **errmsg, BOOL *do_cache) | |
1140 | { | |
1141 | /* Keep picky compilers happy */ | |
1142 | do_cache = do_cache; | |
1143 | return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg)); | |
1144 | } | |
1145 | ||
1146 | int | |
1147 | eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length, | |
1148 | uschar **result, uschar **errmsg, BOOL *do_cache) | |
1149 | { | |
1150 | /* Keep picky compilers happy */ | |
1151 | do_cache = do_cache; | |
1152 | return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg)); | |
1153 | } | |
1154 | ||
1155 | int | |
1156 | eldapauth_find(void *handle, uschar *filename, uschar *ldap_url, int length, | |
1157 | uschar **result, uschar **errmsg, BOOL *do_cache) | |
1158 | { | |
1159 | /* Keep picky compilers happy */ | |
1160 | do_cache = do_cache; | |
1161 | return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg)); | |
1162 | } | |
1163 | ||
1164 | ||
1165 | ||
1166 | /************************************************* | |
1167 | * Open entry point * | |
1168 | *************************************************/ | |
1169 | ||
1170 | /* See local README for interface description. */ | |
1171 | ||
1172 | void * | |
1173 | eldap_open(uschar *filename, uschar **errmsg) | |
1174 | { | |
1175 | return (void *)(1); /* Just return something non-null */ | |
1176 | } | |
1177 | ||
1178 | ||
1179 | ||
1180 | /************************************************* | |
1181 | * Tidy entry point * | |
1182 | *************************************************/ | |
1183 | ||
1184 | /* See local README for interface description. | |
1185 | Make sure that eldap_dn does not refer to reclaimed or worse, freed store */ | |
1186 | ||
1187 | void | |
1188 | eldap_tidy(void) | |
1189 | { | |
1190 | LDAP_CONNECTION *lcp = NULL; | |
1191 | eldap_dn = NULL; | |
1192 | ||
1193 | while ((lcp = ldap_connections) != NULL) | |
1194 | { | |
1195 | DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host, | |
1196 | lcp->port); | |
1197 | ldap_unbind(lcp->ld); | |
1198 | ldap_connections = lcp->next; | |
1199 | } | |
1200 | } | |
1201 | ||
1202 | ||
1203 | ||
1204 | /************************************************* | |
1205 | * Quote entry point * | |
1206 | *************************************************/ | |
1207 | ||
1208 | /* LDAP quoting is unbelievably messy. For a start, two different levels of | |
1209 | quoting have to be done: LDAP quoting, and URL quoting. The current | |
1210 | specification is the result of a suggestion by Brian Candler. It recognizes | |
1211 | two separate cases: | |
1212 | ||
1213 | (1) For text that appears in a search filter, the following escapes are | |
1214 | required (see RFC 2254): | |
1215 | ||
1216 | * -> \2A | |
1217 | ( -> \28 | |
1218 | ) -> \29 | |
1219 | \ -> \5C | |
1220 | NULL -> \00 | |
1221 | ||
1222 | Then the entire filter text must be URL-escaped. This kind of quoting is | |
1223 | implemented by ${quote_ldap:....}. Note that we can never have a NULL | |
1224 | in the input string, because that's a terminator. | |
1225 | ||
1226 | (2) For a DN that is part of a URL (i.e. the base DN), the characters | |
1227 | ||
1228 | , + " \ < > ; | |
1229 | ||
1230 | must be quoted by backslashing. See RFC 2253. Leading and trailing spaces | |
1231 | must be escaped, as must a leading #. Then the string must be URL-quoted. | |
1232 | This type of quoting is implemented by ${quote_ldap_dn:....}. | |
1233 | ||
1234 | For URL quoting, the only characters that need not be quoted are the | |
1235 | alphamerics and | |
1236 | ||
1237 | ! $ ' ( ) * + - . _ | |
1238 | ||
1239 | All the others must be hexified and preceded by %. This includes the | |
1240 | backslashes used for LDAP quoting. | |
1241 | ||
1242 | For a DN that is given in the USER parameter for authentication, we need the | |
1243 | same initial quoting as (2) but in this case, the result must NOT be | |
1244 | URL-escaped, because it isn't a URL. The way this is handled is by | |
1245 | de-URL-quoting the text when processing the USER parameter in | |
1246 | control_ldap_search() above. That means that the same quote operator can be | |
1247 | used. This has the additional advantage that spaces in the DN won't cause | |
1248 | parsing problems. For example: | |
1249 | ||
1250 | USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com | |
1251 | ||
1252 | should be safe if there are spaces in $1. | |
1253 | ||
1254 | ||
1255 | Arguments: | |
1256 | s the string to be quoted | |
1257 | opt additional option text or NULL if none | |
1258 | only "dn" is recognized | |
1259 | ||
1260 | Returns: the processed string or NULL for a bad option | |
1261 | */ | |
1262 | ||
1263 | ||
1264 | ||
1265 | /* The characters in this string, together with alphanumerics, never need | |
1266 | quoting in any way. */ | |
1267 | ||
1268 | #define ALWAYS_LITERAL "!$'-._" | |
1269 | ||
1270 | /* The special characters in this string do not need to be URL-quoted. The set | |
1271 | is a bit larger than the general literals. */ | |
1272 | ||
1273 | #define URL_NONQUOTE ALWAYS_LITERAL "()*+" | |
1274 | ||
1275 | /* The following macros define the characters that are quoted by quote_ldap and | |
1276 | quote_ldap_dn, respectively. */ | |
1277 | ||
1278 | #define LDAP_QUOTE "*()\\" | |
1279 | #define LDAP_DN_QUOTE ",+\"\\<>;" | |
1280 | ||
1281 | ||
1282 | ||
1283 | uschar * | |
1284 | eldap_quote(uschar *s, uschar *opt) | |
1285 | { | |
1286 | register int c; | |
1287 | int count = 0; | |
1288 | int len = 0; | |
1289 | BOOL dn = FALSE; | |
1290 | uschar *t = s; | |
1291 | uschar *quoted; | |
1292 | ||
1293 | /* Test for a DN quotation. */ | |
1294 | ||
1295 | if (opt != NULL) | |
1296 | { | |
1297 | if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */ | |
1298 | dn = TRUE; | |
1299 | } | |
1300 | ||
1301 | /* Compute how much extra store we need for the string. This doesn't have to be | |
1302 | exact as long as it isn't an underestimate. The worst case is the addition of 5 | |
1303 | extra bytes for a single character. This occurs for certain characters in DNs, | |
1304 | where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each | |
1305 | possibly escaped character. The really fast way would be just to test for | |
1306 | non-alphanumerics, but it is probably better to spot a few others that are | |
1307 | never escaped, because if there are no specials at all, we can avoid copying | |
1308 | the string. */ | |
1309 | ||
1310 | while ((c = *t++) != 0) | |
1311 | { | |
1312 | len++; | |
1313 | if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5; | |
1314 | } | |
1315 | if (count == 0) return s; | |
1316 | ||
1317 | /* Get sufficient store to hold the quoted string */ | |
1318 | ||
1319 | t = quoted = store_get(len + count + 1); | |
1320 | ||
1321 | /* Handle plain quote_ldap */ | |
1322 | ||
1323 | if (!dn) | |
1324 | { | |
1325 | while ((c = *s++) != 0) | |
1326 | { | |
1327 | if (!isalnum(c)) | |
1328 | { | |
1329 | if (Ustrchr(LDAP_QUOTE, c) != NULL) | |
1330 | { | |
1331 | sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */ | |
1332 | t += 5; | |
1333 | continue; | |
1334 | } | |
1335 | if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */ | |
1336 | { | |
1337 | sprintf(CS t, "%%%02X", c); | |
1338 | t += 3; | |
1339 | continue; | |
1340 | } | |
1341 | } | |
1342 | *t++ = c; /* unquoted character */ | |
1343 | } | |
1344 | } | |
1345 | ||
1346 | /* Handle quote_ldap_dn */ | |
1347 | ||
1348 | else | |
1349 | { | |
1350 | uschar *ss = s + len; | |
1351 | ||
1352 | /* Find the last char before any trailing spaces */ | |
1353 | ||
1354 | while (ss > s && ss[-1] == ' ') ss--; | |
1355 | ||
1356 | /* Quote leading spaces and sharps */ | |
1357 | ||
1358 | for (; s < ss; s++) | |
1359 | { | |
1360 | if (*s != ' ' && *s != '#') break; | |
1361 | sprintf(CS t, "%%5C%%%02X", *s); | |
1362 | t += 6; | |
1363 | } | |
1364 | ||
1365 | /* Handle the rest of the string, up to the trailing spaces */ | |
1366 | ||
1367 | while (s < ss) | |
1368 | { | |
1369 | c = *s++; | |
1370 | if (!isalnum(c)) | |
1371 | { | |
1372 | if (Ustrchr(LDAP_DN_QUOTE, c) != NULL) | |
1373 | { | |
1374 | Ustrncpy(t, "%5C", 3); /* insert \ where needed */ | |
1375 | t += 3; /* fall through to check URL */ | |
1376 | } | |
1377 | if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */ | |
1378 | { | |
1379 | sprintf(CS t, "%%%02X", c); | |
1380 | t += 3; | |
1381 | continue; | |
1382 | } | |
1383 | } | |
1384 | *t++ = c; /* unquoted character, or non-URL quoted after %5C */ | |
1385 | } | |
1386 | ||
1387 | /* Handle the trailing spaces */ | |
1388 | ||
1389 | while (*ss++ != 0) | |
1390 | { | |
1391 | Ustrncpy(t, "%5C%20", 6); | |
1392 | t += 6; | |
1393 | } | |
1394 | } | |
1395 | ||
1396 | /* Terminate the new string and return */ | |
1397 | ||
1398 | *t = 0; | |
1399 | return quoted; | |
1400 | } | |
1401 | ||
1402 | #endif /* LOOKUP_LDAP */ | |
1403 | ||
1404 | /* End of lookups/ldap.c */ |