String handling: refactor the expanding-string routines and users to use a descriptor...
[exim.git] / src / src / lookups / ldap.c
CommitLineData
0756eb3c
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
0756eb3c
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Many thanks to Stuart Lynne for contributing the original code for this
4c04137d 9driver. Further contributions from Michael Haardt, Brian Candler, Barry
0756eb3c
PH
10Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
11researching how to handle the different kinds of error. */
12
13
14#include "../exim.h"
15#include "lf_functions.h"
0756eb3c
PH
16
17
765b530f
PH
18/* Include LDAP headers. The code below uses some "old" LDAP interfaces that
19are deprecated in OpenLDAP. I don't know their status in other LDAP
20implementations. LDAP_DEPRECATED causes their prototypes to be defined in
21ldap.h. */
22
23#define LDAP_DEPRECATED 1
0756eb3c
PH
24
25#include <lber.h>
26#include <ldap.h>
27
28
29/* Annoyingly, the different LDAP libraries handle errors in different ways,
30and some other things too. There doesn't seem to be an automatic way of
31distinguishing between them. Local/Makefile should contain a setting of
32LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the
33different kinds. Those that matter are:
34
35LDAP_LIB_NETSCAPE
36LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7
37LDAP_LIB_OPENLDAP2
38
39These others may be defined, but are in fact the default, so are not tested:
40
41LDAP_LIB_UMICHIGAN
42LDAP_LIB_OPENLDAP1
43*/
44
45#if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS)
46#define LDAP_LIB_SOLARIS
47#endif
48
49
50/* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */
51
52#ifndef LDAP_NO_LIMIT
53#define LDAP_NO_LIMIT 0
54#endif
55
56
57/* Just in case LDAP_DEREF_NEVER is not defined */
58
59#ifndef LDAP_DEREF_NEVER
60#define LDAP_DEREF_NEVER 0
61#endif
62
63
0756eb3c
PH
64/* Four types of LDAP search are implemented */
65
66#define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */
67#define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */
68#define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */
69#define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */
70
71/* In all 4 cases, the DN is left in $ldap_dn (which post-dates the
72SEARCH_LDAP_DN lookup). */
73
74
75/* Structure and anchor for caching connections. */
76
77typedef struct ldap_connection {
78 struct ldap_connection *next;
79 uschar *host;
80 uschar *user;
81 uschar *password;
82 BOOL bound;
83 int port;
a30a8861 84 BOOL is_start_tls_called;
0756eb3c
PH
85 LDAP *ld;
86} LDAP_CONNECTION;
87
88static LDAP_CONNECTION *ldap_connections = NULL;
89
90
91
92/*************************************************
93* Internal search function *
94*************************************************/
95
96/* This is the function that actually does the work. It is called (indirectly
97via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(),
98and eldapm_find(), with a difference in the "search_type" argument.
99
100The case of eldapauth_find() is special in that all it does is do
101authentication, returning OK or FAIL as appropriate. This isn't used as a
102lookup. Instead, it is called from expand.c as an expansion condition test.
103
104The DN from a successful lookup is placed in $ldap_dn. This feature postdates
105the provision of the SEARCH_LDAP_DN facility for returning just the DN as the
106data.
107
108Arguments:
109 ldap_url the URL to be looked up
110 server server host name, when URL contains none
111 s_port server port, used when URL contains no name
112 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
113 SEARCH_LDAP_SINGLE allows values from one entry only
114 SEARCH_LDAP_DN gets the DN from one entry
115 res set to point at the result (not used for ldapauth)
116 errmsg set to point a message if result is not OK
117 defer_break set TRUE if no more servers to be tried after a DEFER
118 user user name for authentication, or NULL
119 password password for authentication, or NULL
120 sizelimit max number of entries returned, or 0 for no limit
121 timelimit max time to wait, or 0 for no limit
d00328e2 122 tcplimit max time for network activity, e.g. connect, or 0 for OS default
0756eb3c
PH
123 deference the dereference option, which is one of
124 LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
6ec97b1b 125 referrals the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF
0756eb3c
PH
126
127Returns: OK or FAIL or DEFER
128 FAIL is given only if a lookup was performed successfully, but
129 returned no data.
130*/
131
132static int
55414b25
JH
133perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port,
134 int search_type, uschar **res, uschar **errmsg, BOOL *defer_break,
135 uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit,
136 int dereference, void *referrals)
0756eb3c
PH
137{
138LDAPURLDesc *ludp = NULL;
139LDAPMessage *result = NULL;
140BerElement *ber;
141LDAP_CONNECTION *lcp;
142
143struct timeval timeout;
144struct timeval *timeoutptr = NULL;
145
146uschar *attr;
147uschar **attrp;
94e1f16d 148gstring * data = NULL;
0756eb3c
PH
149uschar *dn = NULL;
150uschar *host;
151uschar **values;
152uschar **firstval;
153uschar porttext[16];
154
155uschar *error1 = NULL; /* string representation of errcode (static) */
156uschar *error2 = NULL; /* error message from the server */
157uschar *matched = NULL; /* partially matched DN */
158
9494140a 159int attrs_requested = 0;
0756eb3c
PH
160int error_yield = DEFER;
161int msgid;
d38f8232 162int rc, ldap_rc, ldap_parse_rc;
0756eb3c 163int port;
0756eb3c 164int rescount = 0;
0756eb3c
PH
165BOOL attribute_found = FALSE;
166BOOL ldapi = FALSE;
167
168DEBUG(D_lookup)
169 debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d "
170 "sizelimit=%d timelimit=%d tcplimit=%d\n",
171 (search_type == SEARCH_LDAP_MULTIPLE)? "m" :
172 (search_type == SEARCH_LDAP_DN)? "dn" :
173 (search_type == SEARCH_LDAP_AUTH)? "auth" : "",
174 ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
175
176/* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
177library that is in use doesn't recognize, say, "ldapi", it will barf here. */
178
179if (!ldap_is_ldap_url(CS ldap_url))
180 {
181 *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
182 ldap_url);
183 goto RETURN_ERROR_BREAK;
184 }
185
186/* Parse the URL */
187
188if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
189 {
190 *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
191 ldap_url);
192 goto RETURN_ERROR_BREAK;
193 }
194
195/* If the host name is empty, take it from the separate argument, if one is
196given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
197expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
1982.0.11 this has changed (it uses NULL). */
199
200if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL)
201 {
202 host = server;
203 port = s_port;
204 }
205else
206 {
207 host = US ludp->lud_host;
208 if (host != NULL && host[0] == 0) host = NULL;
209 port = ludp->lud_port;
210 }
211
212DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n",
213 host, port);
214
215if (port == 0) port = LDAP_PORT; /* Default if none given */
216sprintf(CS porttext, ":%d", port); /* For messages */
217
218/* If the "host name" is actually a path, we are going to connect using a Unix
219socket, regardless of whether "ldapi" was actually specified or not. This means
220that a Unix socket can be declared in eldap_default_servers, and "traditional"
221LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
222The path may start with "/" or it may already be escaped as "%2F" if it was
223actually declared that way in eldap_default_servers. (I did it that way the
224first time.) If the host name is not a path, the use of "ldapi" causes an
225error, except in the default case. (But lud_scheme doesn't seem to exist in
226older libraries.) */
227
228if (host != NULL)
229 {
230 if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
231 {
232 ldapi = TRUE;
233 porttext[0] = 0; /* Remove port from messages */
234 }
235
236 #if defined LDAP_LIB_OPENLDAP2
237 else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
238 {
239 *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
240 host);
241 goto RETURN_ERROR;
242 }
243 #endif
244 }
245
246/* Count the attributes; we need this later to tell us how to format results */
247
248for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
9494140a 249 attrs_requested++;
0756eb3c
PH
250
251/* See if we can find a cached connection to this host. The port is not
252relevant for ldapi. The host name pointer is set to NULL if no host was given
253(implying the library default), rather than to the empty string. Note that in
254this case, there is no difference between ldap and ldapi. */
255
256for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next)
257 {
258 if ((host == NULL) != (lcp->host == NULL) ||
259 (host != NULL && strcmpic(lcp->host, host) != 0))
260 continue;
261 if (ldapi || port == lcp->port) break;
262 }
263
d00328e2
PH
264/* Use this network timeout in any requests. */
265
266if (tcplimit > 0)
267 {
268 timeout.tv_sec = tcplimit;
269 timeout.tv_usec = 0;
270 timeoutptr = &timeout;
271 }
272
0756eb3c
PH
273/* If no cached connection found, we must open a connection to the server. If
274the server name is actually an absolute path, we set ldapi=TRUE above. This
275requests connection via a Unix socket. However, as far as I know, only OpenLDAP
276supports the use of sockets, and the use of ldap_initialize(). */
277
278if (lcp == NULL)
279 {
280 LDAP *ld;
281
5428a946
TL
282 #ifdef LDAP_OPT_X_TLS_NEWCTX
283 int am_server = 0;
284 LDAP *ldsetctx;
285 #else
286 LDAP *ldsetctx = NULL;
287 #endif
288
0756eb3c
PH
289
290 /* --------------------------- OpenLDAP ------------------------ */
291
292 /* There seems to be a preference under OpenLDAP for ldap_initialize()
293 instead of ldap_init(), though I have as yet been unable to find
294 documentation that says this. (OpenLDAP documentation is sparse to
295 non-existent). So we handle OpenLDAP differently here. Also, support for
296 ldapi seems to be OpenLDAP-only at present. */
297
298 #ifdef LDAP_LIB_OPENLDAP2
299
300 /* We now need an empty string for the default host. Get some store in which
301 to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
302 than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
303 than the host name + "ldaps:///" plus : and a port number, say 20 + the
304 length of the host name. What we get should accommodate both, easily. */
305
306 uschar *shost = (host == NULL)? US"" : host;
307 uschar *init_url = store_get(20 + 3 * Ustrlen(shost));
308 uschar *init_ptr;
309
310 /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
311 contain the path name, with slashes escaped as %2F. */
312
313 if (ldapi)
314 {
315 int ch;
316 init_ptr = init_url + 8;
317 Ustrcpy(init_url, "ldapi://");
318 while ((ch = *shost++) != 0)
319 {
320 if (ch == '/')
321 {
322 Ustrncpy(init_ptr, "%2F", 3);
323 init_ptr += 3;
324 }
325 else *init_ptr++ = ch;
326 }
327 *init_ptr = 0;
328 }
329
330 /* This is not an ldapi call. Just build a URI with the protocol type, host
331 name, and port. */
332
333 else
334 {
335 init_ptr = Ustrchr(ldap_url, '/');
336 Ustrncpy(init_url, ldap_url, init_ptr - ldap_url);
337 init_ptr = init_url + (init_ptr - ldap_url);
338 sprintf(CS init_ptr, "//%s:%d/", shost, port);
339 }
340
341 /* Call ldap_initialize() and check the result */
342
343 DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url);
344 rc = ldap_initialize(&ld, CS init_url);
345 if (rc != LDAP_SUCCESS)
346 {
347 *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
348 rc, init_url);
349 goto RETURN_ERROR;
350 }
351 store_reset(init_url); /* Might as well save memory when we can */
352
353
354 /* ------------------------- Not OpenLDAP ---------------------- */
355
356 /* For libraries other than OpenLDAP, use ldap_init(). */
357
358 #else /* LDAP_LIB_OPENLDAP2 */
359 ld = ldap_init(CS host, port);
360 #endif /* LDAP_LIB_OPENLDAP2 */
361
362 /* -------------------------------------------------------------- */
363
364
365 /* Handle failure to initialize */
366
367 if (ld == NULL)
368 {
369 *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
370 host, porttext, strerror(errno));
371 goto RETURN_ERROR;
372 }
373
5428a946
TL
374 #ifdef LDAP_OPT_X_TLS_NEWCTX
375 ldsetctx = ld;
376 #endif
377
0756eb3c
PH
378 /* Set the TCP connect time limit if available. This is something that is
379 in Netscape SDK v4.1; I don't know about other libraries. */
380
381 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT
7c7ad977
PH
382 if (tcplimit > 0)
383 {
994a09e9 384 int timeout1000 = tcplimit*1000;
7c7ad977
PH
385 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
386 }
994a09e9
PH
387 else
388 {
389 int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
390 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&notimeout);
391 }
0756eb3c
PH
392 #endif
393
7c7ad977
PH
394 /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
395
396 #ifdef LDAP_OPT_NETWORK_TIMEOUT
397 if (tcplimit > 0)
398 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
8e669ac1 399 #endif
7c7ad977 400
0756eb3c
PH
401 /* I could not get TLS to work until I set the version to 3. That version
402 seems to be the default nowadays. The RFC is dated 1997, so I would hope
403 that all the LDAP libraries support it. Therefore, if eldap_version hasn't
404 been set, go for v3 if we can. */
405
406 if (eldap_version < 0)
407 {
408 #ifdef LDAP_VERSION3
409 eldap_version = LDAP_VERSION3;
410 #else
411 eldap_version = 2;
412 #endif
413 }
414
415 #ifdef LDAP_OPT_PROTOCOL_VERSION
416 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
417 #endif
418
419 DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
420 eldap_version, host, porttext);
421
422 /* If not using ldapi and TLS is available, set appropriate TLS options: hard
423 for "ldaps" and soft otherwise. */
424
425 #ifdef LDAP_OPT_X_TLS
426 if (!ldapi)
427 {
428 int tls_option;
33382dd9
TL
429 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
430 if (eldap_require_cert != NULL)
431 {
432 tls_option = LDAP_OPT_X_TLS_NEVER;
433 if (Ustrcmp(eldap_require_cert, "hard") == 0)
434 {
435 tls_option = LDAP_OPT_X_TLS_HARD;
436 }
437 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
438 {
439 tls_option = LDAP_OPT_X_TLS_DEMAND;
440 }
441 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
442 {
443 tls_option = LDAP_OPT_X_TLS_ALLOW;
444 }
445 else if (Ustrcmp(eldap_require_cert, "try") == 0)
446 {
447 tls_option = LDAP_OPT_X_TLS_TRY;
448 }
449 DEBUG(D_lookup)
450 debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
451 tls_option);
452 }
453 else
454 #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
0756eb3c
PH
455 if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
456 {
457 tls_option = LDAP_OPT_X_TLS_HARD;
33382dd9
TL
458 DEBUG(D_lookup)
459 debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
0756eb3c
PH
460 }
461 else
462 {
463 tls_option = LDAP_OPT_X_TLS_TRY;
33382dd9
TL
464 DEBUG(D_lookup)
465 debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
0756eb3c
PH
466 }
467 ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
468 }
469 #endif /* LDAP_OPT_X_TLS */
470
bc19a55b
PP
471 #ifdef LDAP_OPT_X_TLS_CACERTFILE
472 if (eldap_ca_cert_file != NULL)
473 {
5428a946 474 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
bc19a55b
PP
475 }
476 #endif
477 #ifdef LDAP_OPT_X_TLS_CACERTDIR
478 if (eldap_ca_cert_dir != NULL)
479 {
5428a946 480 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
bc19a55b
PP
481 }
482 #endif
483 #ifdef LDAP_OPT_X_TLS_CERTFILE
484 if (eldap_cert_file != NULL)
485 {
5428a946 486 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
bc19a55b
PP
487 }
488 #endif
489 #ifdef LDAP_OPT_X_TLS_KEYFILE
490 if (eldap_cert_key != NULL)
491 {
5428a946 492 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
bc19a55b
PP
493 }
494 #endif
495 #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
496 if (eldap_cipher_suite != NULL)
497 {
5428a946 498 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
bc19a55b
PP
499 }
500 #endif
501 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
502 if (eldap_require_cert != NULL)
503 {
504 int cert_option = LDAP_OPT_X_TLS_NEVER;
505 if (Ustrcmp(eldap_require_cert, "hard") == 0)
506 {
507 cert_option = LDAP_OPT_X_TLS_HARD;
508 }
509 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
510 {
511 cert_option = LDAP_OPT_X_TLS_DEMAND;
512 }
513 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
514 {
515 cert_option = LDAP_OPT_X_TLS_ALLOW;
516 }
517 else if (Ustrcmp(eldap_require_cert, "try") == 0)
518 {
519 cert_option = LDAP_OPT_X_TLS_TRY;
520 }
5428a946
TL
521 /* This ldap handle is set at compile time based on client libs. Older
522 * versions want it to be global and newer versions can force a reload
523 * of the TLS context (to reload these settings we are changing from the
524 * default that loaded at instantiation). */
525 rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
526 if (rc)
527 {
528 DEBUG(D_lookup)
529 debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
530 cert_option, ldap_err2string(rc));
531 }
532 }
533 #endif
534 #ifdef LDAP_OPT_X_TLS_NEWCTX
535 rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
536 if (rc)
537 {
538 DEBUG(D_lookup)
539 debug_printf("Unable to reload TLS context %d: %s\n",
540 rc, ldap_err2string(rc));
bc19a55b
PP
541 }
542 #endif
543
0756eb3c
PH
544 /* Now add this connection to the chain of cached connections */
545
546 lcp = store_get(sizeof(LDAP_CONNECTION));
547 lcp->host = (host == NULL)? NULL : string_copy(host);
548 lcp->bound = FALSE;
549 lcp->user = NULL;
550 lcp->password = NULL;
551 lcp->port = port;
552 lcp->ld = ld;
553 lcp->next = ldap_connections;
a30a8861 554 lcp->is_start_tls_called = FALSE;
0756eb3c
PH
555 ldap_connections = lcp;
556 }
557
558/* Found cached connection */
559
560else
561 {
562 DEBUG(D_lookup)
563 debug_printf("re-using cached connection to LDAP server %s%s\n",
564 host, porttext);
565 }
566
567/* Bind with the user/password supplied, or an anonymous bind if these values
568are NULL, unless a cached connection is already bound with the same values. */
569
570if (!lcp->bound ||
571 (lcp->user == NULL && user != NULL) ||
572 (lcp->user != NULL && user == NULL) ||
573 (lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) ||
574 (lcp->password == NULL && password != NULL) ||
575 (lcp->password != NULL && password == NULL) ||
576 (lcp->password != NULL && password != NULL &&
577 Ustrcmp(lcp->password, password) != 0))
578 {
579 DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
580 (lcp->bound)? "re-" : "", user, password);
b738dd0f 581 if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
bc19a55b 582 {
d13cdd30
PP
583#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
584 /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
585 * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
586 * export an ldap_start_tls_s symbol.
587 */
588 if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
589 {
590 *errmsg = string_sprintf("failed to initiate TLS processing on an "
591 "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
592 " %s", host, porttext, rc, ldap_err2string(rc));
593 goto RETURN_ERROR;
594 }
a30a8861 595 lcp->is_start_tls_called = TRUE;
d13cdd30
PP
596#else
597 DEBUG(D_lookup)
598 debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
867fcbf5 599#endif
d13cdd30 600 }
7c7ad977
PH
601 if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
602 == -1)
0756eb3c 603 {
7c7ad977 604 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
d00328e2 605 "%s%s - ldap_bind() returned -1", host, porttext);
7c7ad977
PH
606 goto RETURN_ERROR;
607 }
0756eb3c 608
7c7ad977
PH
609 if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
610 {
611 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
8e669ac1 612 "%s%s - LDAP error: %s", host, porttext,
7c7ad977
PH
613 rc == -1 ? "result retrieval failed" : "timeout" );
614 result = NULL;
615 goto RETURN_ERROR;
616 }
617
618 rc = ldap_result2error( lcp->ld, result, 0 );
619
620 /* Invalid credentials when just checking credentials returns FAIL. This
621 stops any further servers being tried. */
0756eb3c 622
7c7ad977
PH
623 if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
624 {
625 DEBUG(D_lookup)
626 debug_printf("Invalid credentials: ldapauth returns FAIL\n");
627 error_yield = FAIL;
628 goto RETURN_ERROR_NOMSG;
629 }
0756eb3c 630
7c7ad977
PH
631 /* Otherwise we have a problem that doesn't stop further servers from being
632 tried. */
633
634 if (rc != LDAP_SUCCESS)
635 {
0756eb3c
PH
636 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
637 "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
638 goto RETURN_ERROR;
639 }
640
641 /* Successful bind */
642
643 lcp->bound = TRUE;
644 lcp->user = (user == NULL)? NULL : string_copy(user);
645 lcp->password = (password == NULL)? NULL : string_copy(password);
7c7ad977
PH
646
647 ldap_msgfree(result);
648 result = NULL;
0756eb3c
PH
649 }
650
651/* If we are just checking credentials, return OK. */
652
653if (search_type == SEARCH_LDAP_AUTH)
654 {
655 DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n");
656 goto RETURN_OK;
657 }
658
659/* Before doing the search, set the time and size limits (if given). Here again
660the different implementations of LDAP have chosen to do things differently. */
661
662#if defined(LDAP_OPT_SIZELIMIT)
663ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
664ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
665#else
666lcp->ld->ld_sizelimit = sizelimit;
667lcp->ld->ld_timelimit = timelimit;
668#endif
669
670/* Similarly for dereferencing aliases. Don't know if this is possible on
671an LDAP library without LDAP_OPT_DEREF. */
672
673#if defined(LDAP_OPT_DEREF)
674ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
675#endif
676
6ec97b1b
PH
677/* Similarly for the referral setting; should the library follow referrals that
678the LDAP server returns? The conditional is just in case someone uses a library
679without it. */
680
681#if defined(LDAP_OPT_REFERRALS)
682ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
683#endif
684
0756eb3c
PH
685/* Start the search on the server. */
686
687DEBUG(D_lookup) debug_printf("Start search\n");
688
689msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
690 ludp->lud_attrs, 0);
691
692if (msgid == -1)
693 {
3ca0ba97
PH
694 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
695 int err;
696 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
8e669ac1 697 *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
3ca0ba97 698 ldap_err2string(err));
8e669ac1
PH
699
700 #else
3ca0ba97
PH
701 *errmsg = string_sprintf("ldap_search failed");
702 #endif
8e669ac1 703
0756eb3c
PH
704 goto RETURN_ERROR;
705 }
706
707/* Loop to pick up results as they come in, setting a timeout if one was
708given. */
709
0756eb3c
PH
710while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
711 LDAP_RES_SEARCH_ENTRY)
712 {
713 LDAPMessage *e;
bb4fd71d
HSHR
714 int valuecount; /* We can see an attr spread across several
715 entries. If B is derived from A and we request
716 A and the directory contains both, A and B,
717 then we get two entries, one for A and one for B.
718 Here we just count the values per entry */
0756eb3c 719
694678d0 720 DEBUG(D_lookup) debug_printf("LDAP result loop\n");
0756eb3c 721
bb4fd71d 722 for(e = ldap_first_entry(lcp->ld, result), valuecount = 0;
94e1f16d 723 e;
0756eb3c
PH
724 e = ldap_next_entry(lcp->ld, e))
725 {
726 uschar *new_dn;
727 BOOL insert_space = FALSE;
728
729 DEBUG(D_lookup) debug_printf("LDAP entry loop\n");
730
731 rescount++; /* Count results */
732
733 /* Results for multiple entries values are separated by newlines. */
734
94e1f16d 735 if (data) data = string_catn(data, US"\n", 1);
0756eb3c
PH
736
737 /* Get the DN from the last result. */
738
739 new_dn = US ldap_get_dn(lcp->ld, e);
740 if (new_dn != NULL)
741 {
742 if (dn != NULL)
743 {
744 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
745 ldap_memfree(dn);
746 #else /* OPENLDAP 1, UMich, Solaris */
747 free(dn);
748 #endif
749 }
750 /* Save for later */
751 dn = new_dn;
752 }
753
754 /* If the data we want is actually the DN rather than any attribute values,
755 (an "ldapdn" search) add it to the data string. If there are multiple
756 entries, the DNs will be concatenated, but we test for this case below, as
757 for SEARCH_LDAP_SINGLE, and give an error. */
758
759 if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */
760 { /* condition, because of the else */
761 if (new_dn != NULL) /* below, that's for the first only */
762 {
94e1f16d
JH
763 data = string_cat(data, new_dn);
764 (void) string_from_gstring(data);
0756eb3c
PH
765 attribute_found = TRUE;
766 }
767 }
768
769 /* Otherwise, loop through the entry, grabbing attribute values. If there's
770 only one attribute being retrieved, no attribute name is given, and the
3a2ac12b 771 result is not quoted. Multiple values are separated by (comma).
0756eb3c 772 If more than one attribute is being retrieved, the data is given as a
3a2ac12b
HSHR
773 sequence of name=value pairs, separated by (space), with the value always in quotes.
774 If there are multiple values, they are given within the quotes, comma separated. */
0756eb3c
PH
775
776 else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
94e1f16d 777 attr; attr = US ldap_next_attribute(lcp->ld, e, ber))
0756eb3c 778 {
694678d0 779 DEBUG(D_lookup) debug_printf("LDAP attr loop\n");
bb4fd71d
HSHR
780
781 /* In case of attrs_requested == 1 we just count the values, in all other cases
782 (0, >1) we count the values per attribute */
783 if (attrs_requested != 1) valuecount = 0;
784
0756eb3c
PH
785 if (attr[0] != 0)
786 {
787 /* Get array of values for this attribute. */
788
94e1f16d 789 if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr)))
0756eb3c 790 {
9494140a
HSHR
791
792 if (attrs_requested != 1)
0756eb3c
PH
793 {
794 if (insert_space)
94e1f16d 795 data = string_catn(data, US" ", 1);
0756eb3c
PH
796 else
797 insert_space = TRUE;
94e1f16d
JH
798 data = string_cat(data, attr);
799 data = string_catn(data, US"=\"", 2);
0756eb3c
PH
800 }
801
94e1f16d 802 while (*values)
0756eb3c
PH
803 {
804 uschar *value = *values;
805 int len = Ustrlen(value);
bb4fd71d 806 ++valuecount;
0756eb3c 807
694678d0
HSHR
808 DEBUG(D_lookup) debug_printf("LDAP value loop %s:%s\n", attr, value);
809
734e448e
HSHR
810 /* In case we requested one attribute only but got several times
811 into that attr loop, we need to append the additional values.
812 (This may happen if you derive attributeTypes B and C from A and
813 then query for A.) In all other cases we detect the different
814 attribute and append only every non first value. */
0756eb3c 815
bb4fd71d 816 if (data && valuecount > 1)
94e1f16d 817 data = string_catn(data, US",", 1);
0756eb3c
PH
818
819 /* For multiple attributes, the data is in quotes. We must escape
7bba24eb 820 internal quotes, backslashes, newlines, and must double commas. */
0756eb3c 821
9494140a 822 if (attrs_requested != 1)
0756eb3c
PH
823 {
824 int j;
825 for (j = 0; j < len; j++)
826 {
827 if (value[j] == '\n')
94e1f16d 828 data = string_catn(data, US"\\n", 2);
7bba24eb 829 else if (value[j] == ',')
94e1f16d 830 data = string_catn(data, US",,", 2);
0756eb3c
PH
831 else
832 {
833 if (value[j] == '\"' || value[j] == '\\')
94e1f16d
JH
834 data = string_catn(data, US"\\", 1);
835 data = string_catn(data, value+j, 1);
0756eb3c
PH
836 }
837 }
838 }
839
7bba24eb
JH
840 /* For single attributes, just double commas */
841
842 else
843 {
844 int j;
845 for (j = 0; j < len; j++)
7bba24eb 846 if (value[j] == ',')
94e1f16d 847 data = string_catn(data, US",,", 2);
7bba24eb 848 else
94e1f16d 849 data = string_catn(data, value+j, 1);
7bba24eb 850 }
0756eb3c 851
0756eb3c
PH
852
853 /* Move on to the next value */
854
855 values++;
856 attribute_found = TRUE;
857 }
858
859 /* Closing quote at the end of the data for a named attribute. */
860
9494140a 861 if (attrs_requested != 1)
94e1f16d 862 data = string_catn(data, US"\"", 1);
0756eb3c
PH
863
864 /* Free the values */
865
866 ldap_value_free(CSS firstval);
867 }
868 }
869
870 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
871
872 /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
873 to be freed. UMich LDAP stores them in static storage and does not require
874 this. */
875
876 ldap_memfree(attr);
877 #endif
878 } /* End "for" loop for extracting attributes from an entry */
879 } /* End "for" loop for extracting entries from a result */
880
881 /* Free the result */
882
883 ldap_msgfree(result);
884 result = NULL;
885 } /* End "while" loop for multiple results */
886
887/* Terminate the dynamic string that we have built and reclaim unused store */
888
94e1f16d 889if (data)
0756eb3c 890 {
94e1f16d
JH
891 (void) string_from_gstring(data);
892 store_reset(data->s + data->ptr + 1);
0756eb3c
PH
893 }
894
895/* Copy the last dn into eldap_dn */
896
94e1f16d 897if (dn)
0756eb3c
PH
898 {
899 eldap_dn = string_copy(dn);
900 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
901 ldap_memfree(dn);
902 #else /* OPENLDAP 1, UMich, Solaris */
903 free(dn);
904 #endif
905 }
906
907DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc);
908
909if (rc == 0)
910 {
911 *errmsg = US"ldap_result timed out";
912 goto RETURN_ERROR;
913 }
914
915/* A return code of -1 seems to mean "ldap_result failed internally or couldn't
916provide you with a message". Other error states seem to exist where
917ldap_result() didn't give us any message from the server at all, leaving result
918set to NULL. Apparently, "the error parameters of the LDAP session handle will
919be set accordingly". That's the best we can do to retrieve an error status; we
920can't use functions like ldap_result2error because they parse a message from
921the server, which we didn't get.
922
923Annoyingly, the different implementations of LDAP have gone for different
924methods of handling error codes and generating error messages. */
925
926if (rc == -1 || result == NULL)
927 {
928 int err;
929 DEBUG(D_lookup) debug_printf("ldap_result failed\n");
930
931 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
932 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
933 *errmsg = string_sprintf("ldap_result failed: %d, %s",
934 err, ldap_err2string(err));
935
936 #elif defined LDAP_LIB_NETSCAPE
937 /* Dubious (surely 'matched' is spurious here?) */
938 (void)ldap_get_lderrno(lcp->ld, &matched, &error1);
939 *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
940
941 #else /* UMich LDAP aka OpenLDAP 1.x */
942 *errmsg = string_sprintf("ldap_result failed: %d, %s",
943 lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
944 #endif
945
946 goto RETURN_ERROR;
947 }
948
949/* A return code that isn't -1 doesn't necessarily mean there were no problems
8e669ac1
PH
950with the search. The message must be an LDAP_RES_SEARCH_RESULT or
951LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
952of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
3295e65b
PH
953we don't provide that functionality when we can't. :-) */
954
8e669ac1 955if (rc != LDAP_RES_SEARCH_RESULT
3295e65b
PH
956#ifdef LDAP_RES_SEARCH_REFERENCE
957 && rc != LDAP_RES_SEARCH_REFERENCE
8e669ac1 958#endif
3295e65b 959 )
0756eb3c
PH
960 {
961 *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
962 goto RETURN_ERROR;
963 }
964
965/* We have a result message from the server. This doesn't yet mean all is well.
966We need to parse the message to find out exactly what's happened. */
967
d38f8232
PH
968#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
969 ldap_rc = rc;
8e669ac1 970 ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
d38f8232
PH
971 CSS &error2, NULL, NULL, 0);
972 DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
8e669ac1 973 if (ldap_parse_rc < 0 &&
3295e65b 974 (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
8e669ac1 975 #ifdef LDAP_RES_SEARCH_REFERENCE
3295e65b 976 || ldap_rc != LDAP_RES_SEARCH_REFERENCE
8e669ac1 977 #endif
3295e65b 978 ))
0756eb3c 979 {
d38f8232 980 *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
0756eb3c
PH
981 goto RETURN_ERROR;
982 }
983 error1 = US ldap_err2string(rc);
984
985#elif defined LDAP_LIB_NETSCAPE
986 /* Dubious (it doesn't reference 'result' at all!) */
987 rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
988
989#else /* UMich LDAP aka OpenLDAP 1.x */
990 rc = ldap_result2error(lcp->ld, result, 0);
991 error1 = ldap_err2string(rc);
992 error2 = lcp->ld->ld_error;
993 matched = lcp->ld->ld_matched;
994#endif
995
996/* Process the status as follows:
997
998 (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
999 truncated result list.
1000
21eb6e72
PH
1001 (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
1002 submitted patch that is reported to "do the right thing" with Solaris
1003 LDAP libraries. (The problem it addresses apparently does not occur with
1004 Open LDAP.)
1005
1006 (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
0756eb3c
PH
1007 object does not, or cannot, exist in the database". For those cases we
1008 fail the lookup.
1009
21eb6e72 1010 (4) All other non-successes here are treated as some kind of problem with
0756eb3c
PH
1011 the lookup, so return DEFER (which is the default in error_yield).
1012*/
1013
1014DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
1015 rc, ldap_err2string(rc));
1016
21eb6e72
PH
1017if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
1018 #ifdef LDAP_RES_SEARCH_REFERENCE
1019 && rc != LDAP_RES_SEARCH_REFERENCE
1020 #endif
1021 )
0756eb3c
PH
1022 {
1023 *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
1024 rc,
1025 (error1 != NULL)? error1 : US"",
1026 (error2 != NULL && error2[0] != 0)? US"/" : US"",
1027 (error2 != NULL)? error2 : US"",
1028 (matched != NULL && matched[0] != 0)? US"/" : US"",
1029 (matched != NULL)? matched : US"");
1030
1031 #if defined LDAP_NAME_ERROR
1032 if (LDAP_NAME_ERROR(rc))
1033 #elif defined NAME_ERROR /* OPENLDAP1 calls it this */
1034 if (NAME_ERROR(rc))
1035 #else
1036 if (rc == LDAP_NO_SUCH_OBJECT)
1037 #endif
1038
1039 {
1040 DEBUG(D_lookup) debug_printf("lookup failure forced\n");
1041 error_yield = FAIL;
1042 }
1043 goto RETURN_ERROR;
1044 }
1045
1046/* The search succeeded. Check if we have too many results */
1047
1048if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
1049 {
1050 *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
1051 "(filter not specific enough?)", rescount);
1052 goto RETURN_ERROR_BREAK;
1053 }
1054
1055/* Check if we have too few (zero) entries */
1056
1057if (rescount < 1)
1058 {
1059 *errmsg = string_sprintf("LDAP search: no results");
1060 error_yield = FAIL;
1061 goto RETURN_ERROR_BREAK;
1062 }
1063
1064/* If an entry was found, but it had no attributes, we behave as if no entries
1065were found, that is, the lookup failed. */
1066
1067if (!attribute_found)
1068 {
1069 *errmsg = US"LDAP search: found no attributes";
1070 error_yield = FAIL;
1071 goto RETURN_ERROR;
1072 }
1073
1074/* Otherwise, it's all worked */
1075
94e1f16d
JH
1076DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
1077*res = data->s;
0756eb3c
PH
1078
1079RETURN_OK:
1080if (result != NULL) ldap_msgfree(result);
1081ldap_free_urldesc(ludp);
1082return OK;
1083
1084/* Error returns */
1085
1086RETURN_ERROR_BREAK:
1087*defer_break = TRUE;
1088
1089RETURN_ERROR:
1090DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1091
1092RETURN_ERROR_NOMSG:
1093if (result != NULL) ldap_msgfree(result);
1094if (ludp != NULL) ldap_free_urldesc(ludp);
1095
1096#if defined LDAP_LIB_OPENLDAP2
1097 if (error2 != NULL) ldap_memfree(error2);
1098 if (matched != NULL) ldap_memfree(matched);
1099#endif
1100
1101return error_yield;
1102}
1103
1104
1105
1106/*************************************************
1107* Internal search control function *
1108*************************************************/
1109
1110/* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(),
1111and eldapm_find() with a difference in the "search_type" argument. It controls
1112calls to perform_ldap_search() which actually does the work. We call that
1113repeatedly for certain types of defer in the case when the URL contains no host
1114name and eldap_default_servers is set to a list of servers to try. This gives
1115more control than just passing over a list of hosts to ldap_open() because it
1116handles other kinds of defer as well as just a failure to open. Note that the
1117URL is defined to contain either zero or one "hostport" only.
1118
1119Parameter data in addition to the URL can be passed as preceding text in the
1120string, as items of the form XXX=yyy. The URL itself can be detected because it
1121must begin "ldapx://", where x is empty, s, or i.
1122
1123Arguments:
1124 ldap_url the URL to be looked up, optionally preceded by other parameter
1125 settings
1126 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
1127 SEARCH_LDAP_SINGLE allows values from one entry only
1128 SEARCH_LDAP_DN gets the DN from one entry
1129 res set to point at the result
1130 errmsg set to point a message if result is not OK
1131
1132Returns: OK or FAIL or DEFER
1133*/
1134
1135static int
55414b25 1136control_ldap_search(const uschar *ldap_url, int search_type, uschar **res,
0756eb3c
PH
1137 uschar **errmsg)
1138{
1139BOOL defer_break = FALSE;
1140int timelimit = LDAP_NO_LIMIT;
1141int sizelimit = LDAP_NO_LIMIT;
7c7ad977 1142int tcplimit = 0;
0756eb3c 1143int sep = 0;
6ec97b1b
PH
1144int dereference = LDAP_DEREF_NEVER;
1145void* referrals = LDAP_OPT_ON;
55414b25
JH
1146const uschar *url = ldap_url;
1147const uschar *p;
0756eb3c
PH
1148uschar *user = NULL;
1149uschar *password = NULL;
deae092e 1150uschar *local_servers = NULL;
55414b25
JH
1151uschar *server;
1152const uschar *list;
0756eb3c
PH
1153uschar buffer[512];
1154
1155while (isspace(*url)) url++;
1156
1157/* Until the string begins "ldap", search for the other parameter settings that
1158are recognized. They are of the form NAME=VALUE, with the value being
1159optionally double-quoted. There must still be a space after it, however. No
1160NAME has the value "ldap". */
1161
1162while (strncmpic(url, US"ldap", 4) != 0)
1163 {
55414b25 1164 const uschar *name = url;
0756eb3c
PH
1165 while (*url != 0 && *url != '=') url++;
1166 if (*url == '=')
1167 {
1168 int namelen;
1169 uschar *value;
1170 namelen = ++url - name;
1171 value = string_dequote(&url);
1172 if (isspace(*url))
1173 {
1174 if (strncmpic(name, US"USER=", namelen) == 0) user = value;
1175 else if (strncmpic(name, US"PASS=", namelen) == 0) password = value;
1176 else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value);
1177 else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
7c7ad977
PH
1178 else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
1179 else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
deae092e 1180 else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;
0756eb3c
PH
1181
1182 /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
1183
1184 #ifdef LDAP_OPT_DEREF
1185 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1186 {
1187 if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER;
1188 else if (strcmpic(value, US"searching") == 0)
1189 dereference = LDAP_DEREF_SEARCHING;
1190 else if (strcmpic(value, US"finding") == 0)
1191 dereference = LDAP_DEREF_FINDING;
1192 if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS;
1193 }
1194 #else
1195 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1196 {
1197 *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP "
1198 "library - cannot use \"dereference\"");
1199 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1200 return DEFER;
1201 }
6ec97b1b 1202 #endif
0756eb3c 1203
6ec97b1b
PH
1204 #ifdef LDAP_OPT_REFERRALS
1205 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1206 {
1207 if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON;
1208 else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF;
1209 else
1210 {
1211 *errmsg = string_sprintf("LDAP option REFERRALS is not \"follow\" "
1212 "or \"nofollow\"");
1213 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1214 return DEFER;
1215 }
1216 }
1217 #else
1218 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1219 {
1220 *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP "
1221 "library - cannot use \"referrals\"");
1222 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1223 return DEFER;
1224 }
0756eb3c
PH
1225 #endif
1226
1227 else
1228 {
1229 *errmsg =
1230 string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL",
1231 namelen, name);
1232 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1233 return DEFER;
1234 }
1235 while (isspace(*url)) url++;
1236 continue;
1237 }
1238 }
1239 *errmsg = US"malformed parameter setting precedes LDAP URL";
1240 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1241 return DEFER;
1242 }
1243
1244/* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves,
1245but it seems that not all behave like this. The DN for the user is often the
1246result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because
1247that is needed when the DN is used as a base DN in a query. Sigh. This is all
1248far too complicated. */
1249
1250if (user != NULL)
1251 {
1252 uschar *s;
1253 uschar *t = user;
1254 for (s = user; *s != 0; s++)
1255 {
1256 int c, d;
1257 if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2]))
1258 {
1259 c = tolower(c);
1260 d = tolower(d);
1261 *t++ =
1262 (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) |
1263 ((d >= 'a')? (10 + d - 'a') : d - '0');
1264 s += 2;
1265 }
1266 else *t++ = *s;
1267 }
1268 *t = 0;
1269 }
1270
1271DEBUG(D_lookup)
1272 debug_printf("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d "
6ec97b1b
PH
1273 "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit,
1274 tcplimit, dereference, (referrals == LDAP_OPT_ON)? "on" : "off");
0756eb3c
PH
1275
1276/* If the request is just to check authentication, some credentials must
1277be given. The password must not be empty because LDAP binds with an empty
1278password are considered anonymous, and will succeed on most installations. */
1279
1280if (search_type == SEARCH_LDAP_AUTH)
1281 {
1282 if (user == NULL || password == NULL)
1283 {
1284 *errmsg = US"ldapauth lookups must specify the username and password";
1285 return DEFER;
1286 }
1287 if (password[0] == 0)
1288 {
1289 DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns FAIL\n");
1290 return FAIL;
1291 }
1292 }
1293
1294/* Check for valid ldap url starters */
1295
1296p = url + 4;
1297if (tolower(*p) == 's' || tolower(*p) == 'i') p++;
1298if (Ustrncmp(p, "://", 3) != 0)
1299 {
1300 *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", "
1301 "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url);
1302 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1303 return DEFER;
1304 }
1305
1306/* No default servers, or URL contains a server name: just one attempt */
1307
deae092e 1308if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/')
0756eb3c
PH
1309 {
1310 return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
6ec97b1b
PH
1311 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1312 referrals);
0756eb3c
PH
1313 }
1314
deae092e
HS
1315/* Loop through the default servers until OK or FAIL. Use local_servers list
1316 * if defined in the lookup, otherwise use the global default list */
1317list = (local_servers == NULL) ? eldap_default_servers : local_servers;
0756eb3c
PH
1318while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
1319 {
1320 int rc;
1321 int port = 0;
1322 uschar *colon = Ustrchr(server, ':');
1323 if (colon != NULL)
1324 {
1325 *colon = 0;
1326 port = Uatoi(colon+1);
1327 }
1328 rc = perform_ldap_search(url, server, port, search_type, res, errmsg,
6ec97b1b
PH
1329 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1330 referrals);
0756eb3c
PH
1331 if (rc != DEFER || defer_break) return rc;
1332 }
1333
1334return DEFER;
1335}
1336
1337
1338
1339/*************************************************
1340* Find entry point *
1341*************************************************/
1342
1343/* See local README for interface description. The different kinds of search
1344are handled by a common function, with a flag to differentiate between them.
1345The handle and filename arguments are not used. */
1346
e6d225ae 1347static int
55414b25 1348eldap_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
14b3c5bc 1349 uschar **result, uschar **errmsg, uint *do_cache)
0756eb3c
PH
1350{
1351/* Keep picky compilers happy */
1352do_cache = do_cache;
1353return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
1354}
1355
e6d225ae 1356static int
55414b25 1357eldapm_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
14b3c5bc 1358 uschar **result, uschar **errmsg, uint *do_cache)
0756eb3c
PH
1359{
1360/* Keep picky compilers happy */
1361do_cache = do_cache;
1362return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
1363}
1364
e6d225ae 1365static int
55414b25 1366eldapdn_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
14b3c5bc 1367 uschar **result, uschar **errmsg, uint *do_cache)
0756eb3c
PH
1368{
1369/* Keep picky compilers happy */
1370do_cache = do_cache;
1371return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
1372}
1373
1374int
55414b25 1375eldapauth_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
14b3c5bc 1376 uschar **result, uschar **errmsg, uint *do_cache)
0756eb3c
PH
1377{
1378/* Keep picky compilers happy */
1379do_cache = do_cache;
1380return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg));
1381}
1382
1383
1384
1385/*************************************************
1386* Open entry point *
1387*************************************************/
1388
1389/* See local README for interface description. */
1390
e6d225ae 1391static void *
0756eb3c
PH
1392eldap_open(uschar *filename, uschar **errmsg)
1393{
1394return (void *)(1); /* Just return something non-null */
1395}
1396
1397
1398
1399/*************************************************
1400* Tidy entry point *
1401*************************************************/
1402
1403/* See local README for interface description.
1404Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
1405
e6d225ae 1406static void
0756eb3c
PH
1407eldap_tidy(void)
1408{
1409LDAP_CONNECTION *lcp = NULL;
1410eldap_dn = NULL;
1411
1412while ((lcp = ldap_connections) != NULL)
1413 {
1414 DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
1415 lcp->port);
ff2c417d
TL
1416 if(lcp->bound == TRUE)
1417 ldap_unbind(lcp->ld);
0756eb3c
PH
1418 ldap_connections = lcp->next;
1419 }
1420}
1421
1422
1423
1424/*************************************************
1425* Quote entry point *
1426*************************************************/
1427
1428/* LDAP quoting is unbelievably messy. For a start, two different levels of
1429quoting have to be done: LDAP quoting, and URL quoting. The current
1430specification is the result of a suggestion by Brian Candler. It recognizes
1431two separate cases:
1432
1433(1) For text that appears in a search filter, the following escapes are
1434 required (see RFC 2254):
1435
1436 * -> \2A
1437 ( -> \28
1438 ) -> \29
1439 \ -> \5C
1440 NULL -> \00
1441
1442 Then the entire filter text must be URL-escaped. This kind of quoting is
1443 implemented by ${quote_ldap:....}. Note that we can never have a NULL
1444 in the input string, because that's a terminator.
1445
1446(2) For a DN that is part of a URL (i.e. the base DN), the characters
1447
1448 , + " \ < > ;
1449
1450 must be quoted by backslashing. See RFC 2253. Leading and trailing spaces
1451 must be escaped, as must a leading #. Then the string must be URL-quoted.
1452 This type of quoting is implemented by ${quote_ldap_dn:....}.
1453
1454For URL quoting, the only characters that need not be quoted are the
1455alphamerics and
1456
1457 ! $ ' ( ) * + - . _
1458
1459All the others must be hexified and preceded by %. This includes the
1460backslashes used for LDAP quoting.
1461
1462For a DN that is given in the USER parameter for authentication, we need the
1463same initial quoting as (2) but in this case, the result must NOT be
1464URL-escaped, because it isn't a URL. The way this is handled is by
1465de-URL-quoting the text when processing the USER parameter in
1466control_ldap_search() above. That means that the same quote operator can be
1467used. This has the additional advantage that spaces in the DN won't cause
1468parsing problems. For example:
1469
1470 USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com
1471
1472should be safe if there are spaces in $1.
1473
1474
1475Arguments:
1476 s the string to be quoted
1477 opt additional option text or NULL if none
1478 only "dn" is recognized
1479
1480Returns: the processed string or NULL for a bad option
1481*/
1482
1483
1484
1485/* The characters in this string, together with alphanumerics, never need
1486quoting in any way. */
1487
1488#define ALWAYS_LITERAL "!$'-._"
1489
1490/* The special characters in this string do not need to be URL-quoted. The set
1491is a bit larger than the general literals. */
1492
1493#define URL_NONQUOTE ALWAYS_LITERAL "()*+"
1494
1495/* The following macros define the characters that are quoted by quote_ldap and
1496quote_ldap_dn, respectively. */
1497
1498#define LDAP_QUOTE "*()\\"
1499#define LDAP_DN_QUOTE ",+\"\\<>;"
1500
1501
1502
e6d225ae 1503static uschar *
0756eb3c
PH
1504eldap_quote(uschar *s, uschar *opt)
1505{
1506register int c;
1507int count = 0;
1508int len = 0;
1509BOOL dn = FALSE;
1510uschar *t = s;
1511uschar *quoted;
1512
1513/* Test for a DN quotation. */
1514
1515if (opt != NULL)
1516 {
1517 if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */
1518 dn = TRUE;
1519 }
1520
1521/* Compute how much extra store we need for the string. This doesn't have to be
1522exact as long as it isn't an underestimate. The worst case is the addition of 5
1523extra bytes for a single character. This occurs for certain characters in DNs,
1524where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each
1525possibly escaped character. The really fast way would be just to test for
1526non-alphanumerics, but it is probably better to spot a few others that are
1527never escaped, because if there are no specials at all, we can avoid copying
1528the string. */
1529
1530while ((c = *t++) != 0)
1531 {
1532 len++;
1533 if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5;
1534 }
1535if (count == 0) return s;
1536
1537/* Get sufficient store to hold the quoted string */
1538
1539t = quoted = store_get(len + count + 1);
1540
1541/* Handle plain quote_ldap */
1542
1543if (!dn)
1544 {
1545 while ((c = *s++) != 0)
1546 {
1547 if (!isalnum(c))
1548 {
1549 if (Ustrchr(LDAP_QUOTE, c) != NULL)
1550 {
1551 sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */
1552 t += 5;
1553 continue;
1554 }
1555 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1556 {
1557 sprintf(CS t, "%%%02X", c);
1558 t += 3;
1559 continue;
1560 }
1561 }
1562 *t++ = c; /* unquoted character */
1563 }
1564 }
1565
1566/* Handle quote_ldap_dn */
1567
1568else
1569 {
1570 uschar *ss = s + len;
1571
1572 /* Find the last char before any trailing spaces */
1573
1574 while (ss > s && ss[-1] == ' ') ss--;
1575
1576 /* Quote leading spaces and sharps */
1577
1578 for (; s < ss; s++)
1579 {
1580 if (*s != ' ' && *s != '#') break;
1581 sprintf(CS t, "%%5C%%%02X", *s);
1582 t += 6;
1583 }
1584
1585 /* Handle the rest of the string, up to the trailing spaces */
1586
1587 while (s < ss)
1588 {
1589 c = *s++;
1590 if (!isalnum(c))
1591 {
1592 if (Ustrchr(LDAP_DN_QUOTE, c) != NULL)
1593 {
1594 Ustrncpy(t, "%5C", 3); /* insert \ where needed */
1595 t += 3; /* fall through to check URL */
1596 }
1597 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1598 {
1599 sprintf(CS t, "%%%02X", c);
1600 t += 3;
1601 continue;
1602 }
1603 }
1604 *t++ = c; /* unquoted character, or non-URL quoted after %5C */
1605 }
1606
1607 /* Handle the trailing spaces */
1608
1609 while (*ss++ != 0)
1610 {
1611 Ustrncpy(t, "%5C%20", 6);
1612 t += 6;
1613 }
1614 }
1615
1616/* Terminate the new string and return */
1617
1618*t = 0;
1619return quoted;
1620}
1621
6545de78
PP
1622
1623
1624/*************************************************
1625* Version reporting entry point *
1626*************************************************/
1627
1628/* See local README for interface description. */
1629
1630#include "../version.h"
1631
1632void
1633ldap_version_report(FILE *f)
1634{
1635#ifdef DYNLOOKUP
1636fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
1637#endif
1638}
1639
1640
e6d225ae
DW
1641static lookup_info ldap_lookup_info = {
1642 US"ldap", /* lookup name */
1643 lookup_querystyle, /* query-style lookup */
1644 eldap_open, /* open function */
1645 NULL, /* check function */
1646 eldap_find, /* find function */
1647 NULL, /* no close function */
1648 eldap_tidy, /* tidy function */
6545de78
PP
1649 eldap_quote, /* quoting function */
1650 ldap_version_report /* version reporting */
e6d225ae
DW
1651};
1652
1653static lookup_info ldapdn_lookup_info = {
1654 US"ldapdn", /* lookup name */
1655 lookup_querystyle, /* query-style lookup */
1656 eldap_open, /* sic */ /* open function */
1657 NULL, /* check function */
1658 eldapdn_find, /* find function */
1659 NULL, /* no close function */
1660 eldap_tidy, /* sic */ /* tidy function */
6545de78
PP
1661 eldap_quote, /* sic */ /* quoting function */
1662 NULL /* no version reporting (redundant) */
e6d225ae
DW
1663};
1664
1665static lookup_info ldapm_lookup_info = {
1666 US"ldapm", /* lookup name */
1667 lookup_querystyle, /* query-style lookup */
1668 eldap_open, /* sic */ /* open function */
1669 NULL, /* check function */
1670 eldapm_find, /* find function */
1671 NULL, /* no close function */
1672 eldap_tidy, /* sic */ /* tidy function */
6545de78
PP
1673 eldap_quote, /* sic */ /* quoting function */
1674 NULL /* no version reporting (redundant) */
e6d225ae
DW
1675};
1676
1677#ifdef DYNLOOKUP
1678#define ldap_lookup_module_info _lookup_module_info
1679#endif
1680
1681static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
1682lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
0756eb3c
PH
1683
1684/* End of lookups/ldap.c */