Commit | Line | Data |
---|---|---|
0756eb3c PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
f9ba5e22 | 5 | /* Copyright (c) University of Cambridge 1995 - 2018 */ |
0756eb3c PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* Many thanks to Stuart Lynne for contributing the original code for this | |
4c04137d | 9 | driver. Further contributions from Michael Haardt, Brian Candler, Barry |
0756eb3c PH |
10 | Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for |
11 | researching how to handle the different kinds of error. */ | |
12 | ||
13 | ||
14 | #include "../exim.h" | |
15 | #include "lf_functions.h" | |
0756eb3c PH |
16 | |
17 | ||
765b530f PH |
18 | /* Include LDAP headers. The code below uses some "old" LDAP interfaces that |
19 | are deprecated in OpenLDAP. I don't know their status in other LDAP | |
20 | implementations. LDAP_DEPRECATED causes their prototypes to be defined in | |
21 | ldap.h. */ | |
22 | ||
23 | #define LDAP_DEPRECATED 1 | |
0756eb3c PH |
24 | |
25 | #include <lber.h> | |
26 | #include <ldap.h> | |
27 | ||
28 | ||
29 | /* Annoyingly, the different LDAP libraries handle errors in different ways, | |
30 | and some other things too. There doesn't seem to be an automatic way of | |
31 | distinguishing between them. Local/Makefile should contain a setting of | |
32 | LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the | |
33 | different kinds. Those that matter are: | |
34 | ||
35 | LDAP_LIB_NETSCAPE | |
36 | LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7 | |
37 | LDAP_LIB_OPENLDAP2 | |
38 | ||
39 | These others may be defined, but are in fact the default, so are not tested: | |
40 | ||
41 | LDAP_LIB_UMICHIGAN | |
42 | LDAP_LIB_OPENLDAP1 | |
43 | */ | |
44 | ||
45 | #if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS) | |
46 | #define LDAP_LIB_SOLARIS | |
47 | #endif | |
48 | ||
49 | ||
50 | /* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */ | |
51 | ||
52 | #ifndef LDAP_NO_LIMIT | |
53 | #define LDAP_NO_LIMIT 0 | |
54 | #endif | |
55 | ||
56 | ||
57 | /* Just in case LDAP_DEREF_NEVER is not defined */ | |
58 | ||
59 | #ifndef LDAP_DEREF_NEVER | |
60 | #define LDAP_DEREF_NEVER 0 | |
61 | #endif | |
62 | ||
63 | ||
0756eb3c PH |
64 | /* Four types of LDAP search are implemented */ |
65 | ||
66 | #define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */ | |
67 | #define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */ | |
68 | #define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */ | |
69 | #define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */ | |
70 | ||
71 | /* In all 4 cases, the DN is left in $ldap_dn (which post-dates the | |
72 | SEARCH_LDAP_DN lookup). */ | |
73 | ||
74 | ||
75 | /* Structure and anchor for caching connections. */ | |
76 | ||
77 | typedef struct ldap_connection { | |
78 | struct ldap_connection *next; | |
79 | uschar *host; | |
80 | uschar *user; | |
81 | uschar *password; | |
82 | BOOL bound; | |
83 | int port; | |
a30a8861 | 84 | BOOL is_start_tls_called; |
0756eb3c PH |
85 | LDAP *ld; |
86 | } LDAP_CONNECTION; | |
87 | ||
88 | static LDAP_CONNECTION *ldap_connections = NULL; | |
89 | ||
90 | ||
91 | ||
92 | /************************************************* | |
93 | * Internal search function * | |
94 | *************************************************/ | |
95 | ||
96 | /* This is the function that actually does the work. It is called (indirectly | |
97 | via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(), | |
98 | and eldapm_find(), with a difference in the "search_type" argument. | |
99 | ||
100 | The case of eldapauth_find() is special in that all it does is do | |
101 | authentication, returning OK or FAIL as appropriate. This isn't used as a | |
102 | lookup. Instead, it is called from expand.c as an expansion condition test. | |
103 | ||
104 | The DN from a successful lookup is placed in $ldap_dn. This feature postdates | |
105 | the provision of the SEARCH_LDAP_DN facility for returning just the DN as the | |
106 | data. | |
107 | ||
108 | Arguments: | |
109 | ldap_url the URL to be looked up | |
110 | server server host name, when URL contains none | |
111 | s_port server port, used when URL contains no name | |
112 | search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries | |
113 | SEARCH_LDAP_SINGLE allows values from one entry only | |
114 | SEARCH_LDAP_DN gets the DN from one entry | |
115 | res set to point at the result (not used for ldapauth) | |
116 | errmsg set to point a message if result is not OK | |
117 | defer_break set TRUE if no more servers to be tried after a DEFER | |
118 | user user name for authentication, or NULL | |
119 | password password for authentication, or NULL | |
120 | sizelimit max number of entries returned, or 0 for no limit | |
121 | timelimit max time to wait, or 0 for no limit | |
d00328e2 | 122 | tcplimit max time for network activity, e.g. connect, or 0 for OS default |
0756eb3c PH |
123 | deference the dereference option, which is one of |
124 | LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS} | |
6ec97b1b | 125 | referrals the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF |
0756eb3c PH |
126 | |
127 | Returns: OK or FAIL or DEFER | |
128 | FAIL is given only if a lookup was performed successfully, but | |
129 | returned no data. | |
130 | */ | |
131 | ||
132 | static int | |
55414b25 JH |
133 | perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port, |
134 | int search_type, uschar **res, uschar **errmsg, BOOL *defer_break, | |
135 | uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit, | |
136 | int dereference, void *referrals) | |
0756eb3c PH |
137 | { |
138 | LDAPURLDesc *ludp = NULL; | |
139 | LDAPMessage *result = NULL; | |
140 | BerElement *ber; | |
141 | LDAP_CONNECTION *lcp; | |
142 | ||
143 | struct timeval timeout; | |
144 | struct timeval *timeoutptr = NULL; | |
145 | ||
acec9514 | 146 | gstring * data = NULL; |
0756eb3c PH |
147 | uschar *dn = NULL; |
148 | uschar *host; | |
149 | uschar **values; | |
150 | uschar **firstval; | |
151 | uschar porttext[16]; | |
152 | ||
153 | uschar *error1 = NULL; /* string representation of errcode (static) */ | |
154 | uschar *error2 = NULL; /* error message from the server */ | |
155 | uschar *matched = NULL; /* partially matched DN */ | |
156 | ||
9494140a | 157 | int attrs_requested = 0; |
0756eb3c PH |
158 | int error_yield = DEFER; |
159 | int msgid; | |
d38f8232 | 160 | int rc, ldap_rc, ldap_parse_rc; |
0756eb3c | 161 | int port; |
0756eb3c | 162 | int rescount = 0; |
0756eb3c PH |
163 | BOOL attribute_found = FALSE; |
164 | BOOL ldapi = FALSE; | |
165 | ||
42c7f0b4 JH |
166 | DEBUG(D_lookup) debug_printf_indent("perform_ldap_search:" |
167 | " ldap%s URL = \"%s\" server=%s port=%d " | |
0756eb3c | 168 | "sizelimit=%d timelimit=%d tcplimit=%d\n", |
d9cb3c45 JH |
169 | search_type == SEARCH_LDAP_MULTIPLE ? "m" : |
170 | search_type == SEARCH_LDAP_DN ? "dn" : | |
171 | search_type == SEARCH_LDAP_AUTH ? "auth" : "", | |
0756eb3c PH |
172 | ldap_url, server, s_port, sizelimit, timelimit, tcplimit); |
173 | ||
174 | /* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP | |
175 | library that is in use doesn't recognize, say, "ldapi", it will barf here. */ | |
176 | ||
177 | if (!ldap_is_ldap_url(CS ldap_url)) | |
178 | { | |
179 | *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n", | |
180 | ldap_url); | |
181 | goto RETURN_ERROR_BREAK; | |
182 | } | |
183 | ||
184 | /* Parse the URL */ | |
185 | ||
186 | if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0) | |
187 | { | |
188 | *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc, | |
189 | ldap_url); | |
190 | goto RETURN_ERROR_BREAK; | |
191 | } | |
192 | ||
193 | /* If the host name is empty, take it from the separate argument, if one is | |
194 | given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but | |
195 | expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP | |
196 | 2.0.11 this has changed (it uses NULL). */ | |
197 | ||
d9cb3c45 | 198 | if ((!ludp->lud_host || !ludp->lud_host[0]) && server) |
0756eb3c PH |
199 | { |
200 | host = server; | |
201 | port = s_port; | |
202 | } | |
203 | else | |
204 | { | |
205 | host = US ludp->lud_host; | |
d9cb3c45 | 206 | if (host && !host[0]) host = NULL; |
0756eb3c PH |
207 | port = ludp->lud_port; |
208 | } | |
209 | ||
42c7f0b4 | 210 | DEBUG(D_lookup) debug_printf_indent("after ldap_url_parse: host=%s port=%d\n", |
0756eb3c PH |
211 | host, port); |
212 | ||
213 | if (port == 0) port = LDAP_PORT; /* Default if none given */ | |
214 | sprintf(CS porttext, ":%d", port); /* For messages */ | |
215 | ||
216 | /* If the "host name" is actually a path, we are going to connect using a Unix | |
217 | socket, regardless of whether "ldapi" was actually specified or not. This means | |
218 | that a Unix socket can be declared in eldap_default_servers, and "traditional" | |
219 | LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden). | |
220 | The path may start with "/" or it may already be escaped as "%2F" if it was | |
221 | actually declared that way in eldap_default_servers. (I did it that way the | |
222 | first time.) If the host name is not a path, the use of "ldapi" causes an | |
223 | error, except in the default case. (But lud_scheme doesn't seem to exist in | |
224 | older libraries.) */ | |
225 | ||
d9cb3c45 | 226 | if (host) |
0756eb3c PH |
227 | { |
228 | if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0)) | |
229 | { | |
230 | ldapi = TRUE; | |
231 | porttext[0] = 0; /* Remove port from messages */ | |
232 | } | |
233 | ||
d9cb3c45 | 234 | #if defined LDAP_LIB_OPENLDAP2 |
0756eb3c PH |
235 | else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0) |
236 | { | |
237 | *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)", | |
238 | host); | |
239 | goto RETURN_ERROR; | |
240 | } | |
d9cb3c45 | 241 | #endif |
0756eb3c PH |
242 | } |
243 | ||
244 | /* Count the attributes; we need this later to tell us how to format results */ | |
245 | ||
d7978c0f | 246 | for (uschar ** attrp = USS ludp->lud_attrs; attrp && *attrp; attrp++) |
9494140a | 247 | attrs_requested++; |
0756eb3c PH |
248 | |
249 | /* See if we can find a cached connection to this host. The port is not | |
250 | relevant for ldapi. The host name pointer is set to NULL if no host was given | |
251 | (implying the library default), rather than to the empty string. Note that in | |
252 | this case, there is no difference between ldap and ldapi. */ | |
253 | ||
d9cb3c45 | 254 | for (lcp = ldap_connections; lcp; lcp = lcp->next) |
0756eb3c PH |
255 | { |
256 | if ((host == NULL) != (lcp->host == NULL) || | |
257 | (host != NULL && strcmpic(lcp->host, host) != 0)) | |
258 | continue; | |
259 | if (ldapi || port == lcp->port) break; | |
260 | } | |
261 | ||
d00328e2 PH |
262 | /* Use this network timeout in any requests. */ |
263 | ||
264 | if (tcplimit > 0) | |
265 | { | |
266 | timeout.tv_sec = tcplimit; | |
267 | timeout.tv_usec = 0; | |
268 | timeoutptr = &timeout; | |
269 | } | |
270 | ||
0756eb3c PH |
271 | /* If no cached connection found, we must open a connection to the server. If |
272 | the server name is actually an absolute path, we set ldapi=TRUE above. This | |
273 | requests connection via a Unix socket. However, as far as I know, only OpenLDAP | |
274 | supports the use of sockets, and the use of ldap_initialize(). */ | |
275 | ||
d9cb3c45 | 276 | if (!lcp) |
0756eb3c PH |
277 | { |
278 | LDAP *ld; | |
279 | ||
d9cb3c45 | 280 | #ifdef LDAP_OPT_X_TLS_NEWCTX |
5428a946 TL |
281 | int am_server = 0; |
282 | LDAP *ldsetctx; | |
d9cb3c45 | 283 | #else |
5428a946 | 284 | LDAP *ldsetctx = NULL; |
d9cb3c45 | 285 | #endif |
5428a946 | 286 | |
0756eb3c PH |
287 | |
288 | /* --------------------------- OpenLDAP ------------------------ */ | |
289 | ||
290 | /* There seems to be a preference under OpenLDAP for ldap_initialize() | |
291 | instead of ldap_init(), though I have as yet been unable to find | |
292 | documentation that says this. (OpenLDAP documentation is sparse to | |
293 | non-existent). So we handle OpenLDAP differently here. Also, support for | |
294 | ldapi seems to be OpenLDAP-only at present. */ | |
295 | ||
d9cb3c45 | 296 | #ifdef LDAP_LIB_OPENLDAP2 |
0756eb3c PH |
297 | |
298 | /* We now need an empty string for the default host. Get some store in which | |
299 | to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger | |
300 | than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger | |
301 | than the host name + "ldaps:///" plus : and a port number, say 20 + the | |
302 | length of the host name. What we get should accommodate both, easily. */ | |
303 | ||
f3ebb786 JH |
304 | uschar * shost = host ? host : US""; |
305 | rmark reset_point = store_mark(); | |
306 | gstring * g; | |
0756eb3c PH |
307 | |
308 | /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to | |
309 | contain the path name, with slashes escaped as %2F. */ | |
310 | ||
311 | if (ldapi) | |
312 | { | |
f3ebb786 JH |
313 | g = string_catn(NULL, US"ldapi://", 8); |
314 | for (uschar ch; (ch = *shost); shost++) | |
315 | g = ch == '/' ? string_catn(g, US"%2F", 3) : string_catn(g, shost, 1); | |
0756eb3c PH |
316 | } |
317 | ||
318 | /* This is not an ldapi call. Just build a URI with the protocol type, host | |
319 | name, and port. */ | |
320 | ||
321 | else | |
322 | { | |
f3ebb786 JH |
323 | uschar * init_ptr = Ustrchr(ldap_url, '/'); |
324 | g = string_catn(NULL, ldap_url, init_ptr - ldap_url); | |
325 | g = string_fmt_append(g, "//%s:%d/", shost, port); | |
0756eb3c | 326 | } |
f3ebb786 | 327 | string_from_gstring(g); |
0756eb3c PH |
328 | |
329 | /* Call ldap_initialize() and check the result */ | |
330 | ||
f3ebb786 JH |
331 | DEBUG(D_lookup) debug_printf_indent("ldap_initialize with URL %s\n", g->s); |
332 | if ((rc = ldap_initialize(&ld, CS g->s)) != LDAP_SUCCESS) | |
0756eb3c PH |
333 | { |
334 | *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n", | |
f3ebb786 | 335 | rc, g->s); |
0756eb3c PH |
336 | goto RETURN_ERROR; |
337 | } | |
f3ebb786 | 338 | store_reset(reset_point); /* Might as well save memory when we can */ |
0756eb3c PH |
339 | |
340 | ||
341 | /* ------------------------- Not OpenLDAP ---------------------- */ | |
342 | ||
343 | /* For libraries other than OpenLDAP, use ldap_init(). */ | |
344 | ||
d9cb3c45 | 345 | #else /* LDAP_LIB_OPENLDAP2 */ |
0756eb3c | 346 | ld = ldap_init(CS host, port); |
d9cb3c45 | 347 | #endif /* LDAP_LIB_OPENLDAP2 */ |
0756eb3c PH |
348 | |
349 | /* -------------------------------------------------------------- */ | |
350 | ||
351 | ||
352 | /* Handle failure to initialize */ | |
353 | ||
d9cb3c45 | 354 | if (!ld) |
0756eb3c PH |
355 | { |
356 | *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s", | |
357 | host, porttext, strerror(errno)); | |
358 | goto RETURN_ERROR; | |
359 | } | |
360 | ||
d9cb3c45 | 361 | #ifdef LDAP_OPT_X_TLS_NEWCTX |
5428a946 | 362 | ldsetctx = ld; |
d9cb3c45 | 363 | #endif |
5428a946 | 364 | |
0756eb3c PH |
365 | /* Set the TCP connect time limit if available. This is something that is |
366 | in Netscape SDK v4.1; I don't know about other libraries. */ | |
367 | ||
d9cb3c45 | 368 | #ifdef LDAP_X_OPT_CONNECT_TIMEOUT |
7c7ad977 PH |
369 | if (tcplimit > 0) |
370 | { | |
994a09e9 | 371 | int timeout1000 = tcplimit*1000; |
7c7ad977 PH |
372 | ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000); |
373 | } | |
994a09e9 PH |
374 | else |
375 | { | |
376 | int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT; | |
377 | ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)¬imeout); | |
378 | } | |
d9cb3c45 | 379 | #endif |
0756eb3c | 380 | |
7c7ad977 PH |
381 | /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */ |
382 | ||
d9cb3c45 | 383 | #ifdef LDAP_OPT_NETWORK_TIMEOUT |
7c7ad977 PH |
384 | if (tcplimit > 0) |
385 | ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr); | |
d9cb3c45 | 386 | #endif |
7c7ad977 | 387 | |
0756eb3c PH |
388 | /* I could not get TLS to work until I set the version to 3. That version |
389 | seems to be the default nowadays. The RFC is dated 1997, so I would hope | |
390 | that all the LDAP libraries support it. Therefore, if eldap_version hasn't | |
391 | been set, go for v3 if we can. */ | |
392 | ||
393 | if (eldap_version < 0) | |
394 | { | |
d9cb3c45 | 395 | #ifdef LDAP_VERSION3 |
0756eb3c | 396 | eldap_version = LDAP_VERSION3; |
d9cb3c45 | 397 | #else |
0756eb3c | 398 | eldap_version = 2; |
d9cb3c45 | 399 | #endif |
0756eb3c PH |
400 | } |
401 | ||
d9cb3c45 | 402 | #ifdef LDAP_OPT_PROTOCOL_VERSION |
0756eb3c | 403 | ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version); |
d9cb3c45 | 404 | #endif |
0756eb3c | 405 | |
42c7f0b4 | 406 | DEBUG(D_lookup) debug_printf_indent("initialized for LDAP (v%d) server %s%s\n", |
0756eb3c PH |
407 | eldap_version, host, porttext); |
408 | ||
409 | /* If not using ldapi and TLS is available, set appropriate TLS options: hard | |
410 | for "ldaps" and soft otherwise. */ | |
411 | ||
d9cb3c45 | 412 | #ifdef LDAP_OPT_X_TLS |
0756eb3c PH |
413 | if (!ldapi) |
414 | { | |
415 | int tls_option; | |
d9cb3c45 JH |
416 | # ifdef LDAP_OPT_X_TLS_REQUIRE_CERT |
417 | if (eldap_require_cert) | |
33382dd9 | 418 | { |
d9cb3c45 JH |
419 | tls_option = |
420 | Ustrcmp(eldap_require_cert, "hard") == 0 ? LDAP_OPT_X_TLS_HARD | |
421 | : Ustrcmp(eldap_require_cert, "demand") == 0 ? LDAP_OPT_X_TLS_DEMAND | |
422 | : Ustrcmp(eldap_require_cert, "allow") == 0 ? LDAP_OPT_X_TLS_ALLOW | |
423 | : Ustrcmp(eldap_require_cert, "try") == 0 ? LDAP_OPT_X_TLS_TRY | |
424 | : LDAP_OPT_X_TLS_NEVER; | |
425 | ||
42c7f0b4 JH |
426 | DEBUG(D_lookup) debug_printf_indent( |
427 | "Require certificate overrides LDAP_OPT_X_TLS option (%d)\n", | |
428 | tls_option); | |
33382dd9 TL |
429 | } |
430 | else | |
d9cb3c45 | 431 | # endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ |
0756eb3c PH |
432 | if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0) |
433 | { | |
434 | tls_option = LDAP_OPT_X_TLS_HARD; | |
33382dd9 | 435 | DEBUG(D_lookup) |
42c7f0b4 | 436 | debug_printf_indent("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n"); |
0756eb3c PH |
437 | } |
438 | else | |
439 | { | |
440 | tls_option = LDAP_OPT_X_TLS_TRY; | |
33382dd9 | 441 | DEBUG(D_lookup) |
42c7f0b4 | 442 | debug_printf_indent("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n"); |
0756eb3c PH |
443 | } |
444 | ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); | |
445 | } | |
d9cb3c45 | 446 | #endif /* LDAP_OPT_X_TLS */ |
0756eb3c | 447 | |
d9cb3c45 JH |
448 | #ifdef LDAP_OPT_X_TLS_CACERTFILE |
449 | if (eldap_ca_cert_file) | |
5428a946 | 450 | ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); |
d9cb3c45 JH |
451 | #endif |
452 | #ifdef LDAP_OPT_X_TLS_CACERTDIR | |
453 | if (eldap_ca_cert_dir) | |
5428a946 | 454 | ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); |
d9cb3c45 JH |
455 | #endif |
456 | #ifdef LDAP_OPT_X_TLS_CERTFILE | |
457 | if (eldap_cert_file) | |
5428a946 | 458 | ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); |
d9cb3c45 JH |
459 | #endif |
460 | #ifdef LDAP_OPT_X_TLS_KEYFILE | |
461 | if (eldap_cert_key) | |
5428a946 | 462 | ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); |
d9cb3c45 JH |
463 | #endif |
464 | #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE | |
465 | if (eldap_cipher_suite) | |
5428a946 | 466 | ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); |
d9cb3c45 JH |
467 | #endif |
468 | #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT | |
469 | if (eldap_require_cert) | |
bc19a55b | 470 | { |
d9cb3c45 JH |
471 | int cert_option = |
472 | Ustrcmp(eldap_require_cert, "hard") == 0 ? LDAP_OPT_X_TLS_HARD | |
473 | : Ustrcmp(eldap_require_cert, "demand") == 0 ? LDAP_OPT_X_TLS_DEMAND | |
474 | : Ustrcmp(eldap_require_cert, "allow") == 0 ? LDAP_OPT_X_TLS_ALLOW | |
475 | : Ustrcmp(eldap_require_cert, "try") == 0 ? LDAP_OPT_X_TLS_TRY | |
476 | : LDAP_OPT_X_TLS_NEVER; | |
477 | ||
5428a946 TL |
478 | /* This ldap handle is set at compile time based on client libs. Older |
479 | * versions want it to be global and newer versions can force a reload | |
480 | * of the TLS context (to reload these settings we are changing from the | |
481 | * default that loaded at instantiation). */ | |
482 | rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); | |
483 | if (rc) | |
5428a946 | 484 | DEBUG(D_lookup) |
42c7f0b4 | 485 | debug_printf_indent("Unable to set TLS require cert_option(%d) globally: %s\n", |
5428a946 | 486 | cert_option, ldap_err2string(rc)); |
5428a946 | 487 | } |
d9cb3c45 JH |
488 | #endif |
489 | #ifdef LDAP_OPT_X_TLS_NEWCTX | |
490 | if ((rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server))) | |
5428a946 | 491 | DEBUG(D_lookup) |
42c7f0b4 | 492 | debug_printf_indent("Unable to reload TLS context %d: %s\n", |
5428a946 | 493 | rc, ldap_err2string(rc)); |
bc19a55b PP |
494 | #endif |
495 | ||
0756eb3c PH |
496 | /* Now add this connection to the chain of cached connections */ |
497 | ||
f3ebb786 JH |
498 | lcp = store_get(sizeof(LDAP_CONNECTION), FALSE); |
499 | lcp->host = host ? string_copy(host) : NULL; | |
0756eb3c PH |
500 | lcp->bound = FALSE; |
501 | lcp->user = NULL; | |
502 | lcp->password = NULL; | |
503 | lcp->port = port; | |
504 | lcp->ld = ld; | |
505 | lcp->next = ldap_connections; | |
a30a8861 | 506 | lcp->is_start_tls_called = FALSE; |
0756eb3c PH |
507 | ldap_connections = lcp; |
508 | } | |
509 | ||
510 | /* Found cached connection */ | |
511 | ||
512 | else | |
0756eb3c | 513 | DEBUG(D_lookup) |
42c7f0b4 | 514 | debug_printf_indent("re-using cached connection to LDAP server %s%s\n", |
0756eb3c | 515 | host, porttext); |
0756eb3c PH |
516 | |
517 | /* Bind with the user/password supplied, or an anonymous bind if these values | |
518 | are NULL, unless a cached connection is already bound with the same values. */ | |
519 | ||
d9cb3c45 JH |
520 | if ( !lcp->bound |
521 | || !lcp->user && user | |
522 | || lcp->user && !user | |
523 | || lcp->user && user && Ustrcmp(lcp->user, user) != 0 | |
524 | || !lcp->password && password | |
525 | || lcp->password && !password | |
526 | || lcp->password && password && Ustrcmp(lcp->password, password) != 0 | |
527 | ) | |
0756eb3c | 528 | { |
42c7f0b4 | 529 | DEBUG(D_lookup) debug_printf_indent("%sbinding with user=%s password=%s\n", |
d9cb3c45 JH |
530 | lcp->bound ? "re-" : "", user, password); |
531 | ||
b738dd0f | 532 | if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi) |
bc19a55b | 533 | { |
d13cdd30 PP |
534 | #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS) |
535 | /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this. | |
536 | * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not | |
537 | * export an ldap_start_tls_s symbol. | |
538 | */ | |
539 | if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) | |
540 | { | |
541 | *errmsg = string_sprintf("failed to initiate TLS processing on an " | |
542 | "LDAP session to server %s%s - ldap_start_tls_s() returned %d:" | |
543 | " %s", host, porttext, rc, ldap_err2string(rc)); | |
544 | goto RETURN_ERROR; | |
545 | } | |
a30a8861 | 546 | lcp->is_start_tls_called = TRUE; |
d13cdd30 | 547 | #else |
42c7f0b4 | 548 | DEBUG(D_lookup) debug_printf_indent("TLS initiation not supported with this Exim" |
d9cb3c45 | 549 | " and your LDAP library.\n"); |
867fcbf5 | 550 | #endif |
d13cdd30 | 551 | } |
7c7ad977 PH |
552 | if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) |
553 | == -1) | |
0756eb3c | 554 | { |
7c7ad977 | 555 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " |
d00328e2 | 556 | "%s%s - ldap_bind() returned -1", host, porttext); |
7c7ad977 PH |
557 | goto RETURN_ERROR; |
558 | } | |
0756eb3c | 559 | |
d9cb3c45 | 560 | if ((rc = ldap_result(lcp->ld, msgid, 1, timeoutptr, &result)) <= 0) |
7c7ad977 PH |
561 | { |
562 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " | |
8e669ac1 | 563 | "%s%s - LDAP error: %s", host, porttext, |
7c7ad977 PH |
564 | rc == -1 ? "result retrieval failed" : "timeout" ); |
565 | result = NULL; | |
566 | goto RETURN_ERROR; | |
567 | } | |
568 | ||
d9cb3c45 | 569 | rc = ldap_result2error(lcp->ld, result, 0); |
7c7ad977 PH |
570 | |
571 | /* Invalid credentials when just checking credentials returns FAIL. This | |
572 | stops any further servers being tried. */ | |
0756eb3c | 573 | |
7c7ad977 PH |
574 | if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS) |
575 | { | |
576 | DEBUG(D_lookup) | |
42c7f0b4 | 577 | debug_printf_indent("Invalid credentials: ldapauth returns FAIL\n"); |
7c7ad977 PH |
578 | error_yield = FAIL; |
579 | goto RETURN_ERROR_NOMSG; | |
580 | } | |
0756eb3c | 581 | |
7c7ad977 PH |
582 | /* Otherwise we have a problem that doesn't stop further servers from being |
583 | tried. */ | |
584 | ||
585 | if (rc != LDAP_SUCCESS) | |
586 | { | |
0756eb3c PH |
587 | *errmsg = string_sprintf("failed to bind the LDAP connection to server " |
588 | "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc)); | |
589 | goto RETURN_ERROR; | |
590 | } | |
591 | ||
592 | /* Successful bind */ | |
593 | ||
594 | lcp->bound = TRUE; | |
d9cb3c45 JH |
595 | lcp->user = !user ? NULL : string_copy(user); |
596 | lcp->password = !password ? NULL : string_copy(password); | |
7c7ad977 PH |
597 | |
598 | ldap_msgfree(result); | |
599 | result = NULL; | |
0756eb3c PH |
600 | } |
601 | ||
602 | /* If we are just checking credentials, return OK. */ | |
603 | ||
604 | if (search_type == SEARCH_LDAP_AUTH) | |
605 | { | |
42c7f0b4 | 606 | DEBUG(D_lookup) debug_printf_indent("Bind succeeded: ldapauth returns OK\n"); |
0756eb3c PH |
607 | goto RETURN_OK; |
608 | } | |
609 | ||
610 | /* Before doing the search, set the time and size limits (if given). Here again | |
611 | the different implementations of LDAP have chosen to do things differently. */ | |
612 | ||
613 | #if defined(LDAP_OPT_SIZELIMIT) | |
614 | ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit); | |
615 | ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit); | |
616 | #else | |
617 | lcp->ld->ld_sizelimit = sizelimit; | |
618 | lcp->ld->ld_timelimit = timelimit; | |
619 | #endif | |
620 | ||
621 | /* Similarly for dereferencing aliases. Don't know if this is possible on | |
622 | an LDAP library without LDAP_OPT_DEREF. */ | |
623 | ||
624 | #if defined(LDAP_OPT_DEREF) | |
625 | ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference); | |
626 | #endif | |
627 | ||
6ec97b1b PH |
628 | /* Similarly for the referral setting; should the library follow referrals that |
629 | the LDAP server returns? The conditional is just in case someone uses a library | |
630 | without it. */ | |
631 | ||
632 | #if defined(LDAP_OPT_REFERRALS) | |
633 | ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals); | |
634 | #endif | |
635 | ||
0756eb3c PH |
636 | /* Start the search on the server. */ |
637 | ||
42c7f0b4 | 638 | DEBUG(D_lookup) debug_printf_indent("Start search\n"); |
0756eb3c PH |
639 | |
640 | msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, | |
641 | ludp->lud_attrs, 0); | |
642 | ||
643 | if (msgid == -1) | |
644 | { | |
d9cb3c45 | 645 | #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2 |
3ca0ba97 PH |
646 | int err; |
647 | ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err); | |
8e669ac1 | 648 | *errmsg = string_sprintf("ldap_search failed: %d, %s", err, |
3ca0ba97 | 649 | ldap_err2string(err)); |
d9cb3c45 | 650 | #else |
3ca0ba97 | 651 | *errmsg = string_sprintf("ldap_search failed"); |
d9cb3c45 | 652 | #endif |
8e669ac1 | 653 | |
0756eb3c PH |
654 | goto RETURN_ERROR; |
655 | } | |
656 | ||
657 | /* Loop to pick up results as they come in, setting a timeout if one was | |
658 | given. */ | |
659 | ||
0756eb3c PH |
660 | while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) == |
661 | LDAP_RES_SEARCH_ENTRY) | |
662 | { | |
663 | LDAPMessage *e; | |
bb4fd71d HSHR |
664 | int valuecount; /* We can see an attr spread across several |
665 | entries. If B is derived from A and we request | |
666 | A and the directory contains both, A and B, | |
667 | then we get two entries, one for A and one for B. | |
668 | Here we just count the values per entry */ | |
0756eb3c | 669 | |
42c7f0b4 | 670 | DEBUG(D_lookup) debug_printf_indent("LDAP result loop\n"); |
0756eb3c | 671 | |
bb4fd71d | 672 | for(e = ldap_first_entry(lcp->ld, result), valuecount = 0; |
acec9514 | 673 | e; |
0756eb3c PH |
674 | e = ldap_next_entry(lcp->ld, e)) |
675 | { | |
676 | uschar *new_dn; | |
677 | BOOL insert_space = FALSE; | |
678 | ||
42c7f0b4 | 679 | DEBUG(D_lookup) debug_printf_indent("LDAP entry loop\n"); |
0756eb3c PH |
680 | |
681 | rescount++; /* Count results */ | |
682 | ||
683 | /* Results for multiple entries values are separated by newlines. */ | |
684 | ||
acec9514 | 685 | if (data) data = string_catn(data, US"\n", 1); |
0756eb3c PH |
686 | |
687 | /* Get the DN from the last result. */ | |
688 | ||
d9cb3c45 | 689 | if ((new_dn = US ldap_get_dn(lcp->ld, e))) |
0756eb3c | 690 | { |
d9cb3c45 | 691 | if (dn) |
0756eb3c | 692 | { |
d9cb3c45 | 693 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 |
0756eb3c | 694 | ldap_memfree(dn); |
d9cb3c45 | 695 | #else /* OPENLDAP 1, UMich, Solaris */ |
0756eb3c | 696 | free(dn); |
d9cb3c45 | 697 | #endif |
0756eb3c PH |
698 | } |
699 | /* Save for later */ | |
700 | dn = new_dn; | |
701 | } | |
702 | ||
703 | /* If the data we want is actually the DN rather than any attribute values, | |
704 | (an "ldapdn" search) add it to the data string. If there are multiple | |
705 | entries, the DNs will be concatenated, but we test for this case below, as | |
706 | for SEARCH_LDAP_SINGLE, and give an error. */ | |
707 | ||
d9cb3c45 JH |
708 | if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */ |
709 | { /* condition, because of the else */ | |
710 | if (new_dn) /* below, that's for the first only */ | |
0756eb3c | 711 | { |
acec9514 JH |
712 | data = string_cat(data, new_dn); |
713 | (void) string_from_gstring(data); | |
0756eb3c PH |
714 | attribute_found = TRUE; |
715 | } | |
716 | } | |
717 | ||
718 | /* Otherwise, loop through the entry, grabbing attribute values. If there's | |
719 | only one attribute being retrieved, no attribute name is given, and the | |
3a2ac12b | 720 | result is not quoted. Multiple values are separated by (comma). |
0756eb3c | 721 | If more than one attribute is being retrieved, the data is given as a |
3a2ac12b HSHR |
722 | sequence of name=value pairs, separated by (space), with the value always in quotes. |
723 | If there are multiple values, they are given within the quotes, comma separated. */ | |
0756eb3c | 724 | |
d7978c0f | 725 | else for (uschar * attr = US ldap_first_attribute(lcp->ld, e, &ber); |
acec9514 | 726 | attr; attr = US ldap_next_attribute(lcp->ld, e, ber)) |
0756eb3c | 727 | { |
42c7f0b4 | 728 | DEBUG(D_lookup) debug_printf_indent("LDAP attr loop\n"); |
bb4fd71d HSHR |
729 | |
730 | /* In case of attrs_requested == 1 we just count the values, in all other cases | |
731 | (0, >1) we count the values per attribute */ | |
732 | if (attrs_requested != 1) valuecount = 0; | |
733 | ||
0756eb3c PH |
734 | if (attr[0] != 0) |
735 | { | |
736 | /* Get array of values for this attribute. */ | |
737 | ||
acec9514 | 738 | if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))) |
0756eb3c | 739 | { |
9494140a | 740 | if (attrs_requested != 1) |
0756eb3c PH |
741 | { |
742 | if (insert_space) | |
acec9514 | 743 | data = string_catn(data, US" ", 1); |
0756eb3c PH |
744 | else |
745 | insert_space = TRUE; | |
acec9514 JH |
746 | data = string_cat(data, attr); |
747 | data = string_catn(data, US"=\"", 2); | |
0756eb3c PH |
748 | } |
749 | ||
acec9514 | 750 | while (*values) |
0756eb3c PH |
751 | { |
752 | uschar *value = *values; | |
753 | int len = Ustrlen(value); | |
bb4fd71d | 754 | ++valuecount; |
0756eb3c | 755 | |
42c7f0b4 | 756 | DEBUG(D_lookup) debug_printf_indent("LDAP value loop %s:%s\n", attr, value); |
694678d0 | 757 | |
734e448e HSHR |
758 | /* In case we requested one attribute only but got several times |
759 | into that attr loop, we need to append the additional values. | |
760 | (This may happen if you derive attributeTypes B and C from A and | |
761 | then query for A.) In all other cases we detect the different | |
762 | attribute and append only every non first value. */ | |
0756eb3c | 763 | |
bb4fd71d | 764 | if (data && valuecount > 1) |
acec9514 | 765 | data = string_catn(data, US",", 1); |
0756eb3c PH |
766 | |
767 | /* For multiple attributes, the data is in quotes. We must escape | |
7bba24eb | 768 | internal quotes, backslashes, newlines, and must double commas. */ |
0756eb3c | 769 | |
9494140a | 770 | if (attrs_requested != 1) |
d7978c0f | 771 | for (int j = 0; j < len; j++) |
0756eb3c PH |
772 | { |
773 | if (value[j] == '\n') | |
acec9514 | 774 | data = string_catn(data, US"\\n", 2); |
7bba24eb | 775 | else if (value[j] == ',') |
acec9514 | 776 | data = string_catn(data, US",,", 2); |
0756eb3c PH |
777 | else |
778 | { | |
779 | if (value[j] == '\"' || value[j] == '\\') | |
acec9514 JH |
780 | data = string_catn(data, US"\\", 1); |
781 | data = string_catn(data, value+j, 1); | |
0756eb3c PH |
782 | } |
783 | } | |
0756eb3c | 784 | |
7bba24eb JH |
785 | /* For single attributes, just double commas */ |
786 | ||
787 | else | |
d7978c0f | 788 | for (int j = 0; j < len; j++) |
7bba24eb | 789 | if (value[j] == ',') |
acec9514 | 790 | data = string_catn(data, US",,", 2); |
7bba24eb | 791 | else |
acec9514 | 792 | data = string_catn(data, value+j, 1); |
0756eb3c | 793 | |
0756eb3c PH |
794 | |
795 | /* Move on to the next value */ | |
796 | ||
797 | values++; | |
798 | attribute_found = TRUE; | |
799 | } | |
800 | ||
801 | /* Closing quote at the end of the data for a named attribute. */ | |
802 | ||
9494140a | 803 | if (attrs_requested != 1) |
acec9514 | 804 | data = string_catn(data, US"\"", 1); |
0756eb3c PH |
805 | |
806 | /* Free the values */ | |
807 | ||
808 | ldap_value_free(CSS firstval); | |
809 | } | |
810 | } | |
811 | ||
d9cb3c45 | 812 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 |
0756eb3c PH |
813 | |
814 | /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need | |
815 | to be freed. UMich LDAP stores them in static storage and does not require | |
816 | this. */ | |
817 | ||
818 | ldap_memfree(attr); | |
d9cb3c45 | 819 | #endif |
0756eb3c PH |
820 | } /* End "for" loop for extracting attributes from an entry */ |
821 | } /* End "for" loop for extracting entries from a result */ | |
822 | ||
823 | /* Free the result */ | |
824 | ||
825 | ldap_msgfree(result); | |
826 | result = NULL; | |
827 | } /* End "while" loop for multiple results */ | |
828 | ||
fc8cd529 JH |
829 | /* Terminate the dynamic string that we have built and reclaim unused store. |
830 | In the odd case of a single attribute with zero-length value, allocate | |
831 | an empty string. */ | |
0756eb3c | 832 | |
fc8cd529 JH |
833 | if (!data) data = string_get(1); |
834 | (void) string_from_gstring(data); | |
e59797e3 | 835 | gstring_release_unused(data); |
0756eb3c PH |
836 | |
837 | /* Copy the last dn into eldap_dn */ | |
838 | ||
acec9514 | 839 | if (dn) |
0756eb3c PH |
840 | { |
841 | eldap_dn = string_copy(dn); | |
d9cb3c45 | 842 | #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2 |
0756eb3c | 843 | ldap_memfree(dn); |
d9cb3c45 | 844 | #else /* OPENLDAP 1, UMich, Solaris */ |
0756eb3c | 845 | free(dn); |
d9cb3c45 | 846 | #endif |
0756eb3c PH |
847 | } |
848 | ||
42c7f0b4 | 849 | DEBUG(D_lookup) debug_printf_indent("search ended by ldap_result yielding %d\n",rc); |
0756eb3c PH |
850 | |
851 | if (rc == 0) | |
852 | { | |
853 | *errmsg = US"ldap_result timed out"; | |
854 | goto RETURN_ERROR; | |
855 | } | |
856 | ||
857 | /* A return code of -1 seems to mean "ldap_result failed internally or couldn't | |
858 | provide you with a message". Other error states seem to exist where | |
859 | ldap_result() didn't give us any message from the server at all, leaving result | |
860 | set to NULL. Apparently, "the error parameters of the LDAP session handle will | |
861 | be set accordingly". That's the best we can do to retrieve an error status; we | |
862 | can't use functions like ldap_result2error because they parse a message from | |
863 | the server, which we didn't get. | |
864 | ||
865 | Annoyingly, the different implementations of LDAP have gone for different | |
866 | methods of handling error codes and generating error messages. */ | |
867 | ||
d9cb3c45 | 868 | if (rc == -1 || !result) |
0756eb3c PH |
869 | { |
870 | int err; | |
42c7f0b4 | 871 | DEBUG(D_lookup) debug_printf_indent("ldap_result failed\n"); |
0756eb3c | 872 | |
d9cb3c45 | 873 | #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2 |
0756eb3c PH |
874 | ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err); |
875 | *errmsg = string_sprintf("ldap_result failed: %d, %s", | |
876 | err, ldap_err2string(err)); | |
877 | ||
d9cb3c45 | 878 | #elif defined LDAP_LIB_NETSCAPE |
0756eb3c PH |
879 | /* Dubious (surely 'matched' is spurious here?) */ |
880 | (void)ldap_get_lderrno(lcp->ld, &matched, &error1); | |
881 | *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched); | |
882 | ||
d9cb3c45 | 883 | #else /* UMich LDAP aka OpenLDAP 1.x */ |
0756eb3c PH |
884 | *errmsg = string_sprintf("ldap_result failed: %d, %s", |
885 | lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno)); | |
d9cb3c45 | 886 | #endif |
0756eb3c PH |
887 | |
888 | goto RETURN_ERROR; | |
889 | } | |
890 | ||
891 | /* A return code that isn't -1 doesn't necessarily mean there were no problems | |
8e669ac1 PH |
892 | with the search. The message must be an LDAP_RES_SEARCH_RESULT or |
893 | LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions | |
894 | of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So | |
3295e65b PH |
895 | we don't provide that functionality when we can't. :-) */ |
896 | ||
8e669ac1 | 897 | if (rc != LDAP_RES_SEARCH_RESULT |
3295e65b PH |
898 | #ifdef LDAP_RES_SEARCH_REFERENCE |
899 | && rc != LDAP_RES_SEARCH_REFERENCE | |
8e669ac1 | 900 | #endif |
3295e65b | 901 | ) |
0756eb3c PH |
902 | { |
903 | *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc); | |
904 | goto RETURN_ERROR; | |
905 | } | |
906 | ||
907 | /* We have a result message from the server. This doesn't yet mean all is well. | |
908 | We need to parse the message to find out exactly what's happened. */ | |
909 | ||
d38f8232 PH |
910 | #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2 |
911 | ldap_rc = rc; | |
8e669ac1 | 912 | ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched, |
d38f8232 | 913 | CSS &error2, NULL, NULL, 0); |
42c7f0b4 | 914 | DEBUG(D_lookup) debug_printf_indent("ldap_parse_result: %d\n", ldap_parse_rc); |
8e669ac1 | 915 | if (ldap_parse_rc < 0 && |
3295e65b | 916 | (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED |
8e669ac1 | 917 | #ifdef LDAP_RES_SEARCH_REFERENCE |
3295e65b | 918 | || ldap_rc != LDAP_RES_SEARCH_REFERENCE |
8e669ac1 | 919 | #endif |
3295e65b | 920 | )) |
0756eb3c | 921 | { |
d38f8232 | 922 | *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc); |
0756eb3c PH |
923 | goto RETURN_ERROR; |
924 | } | |
925 | error1 = US ldap_err2string(rc); | |
926 | ||
927 | #elif defined LDAP_LIB_NETSCAPE | |
928 | /* Dubious (it doesn't reference 'result' at all!) */ | |
929 | rc = ldap_get_lderrno(lcp->ld, &matched, &error1); | |
930 | ||
931 | #else /* UMich LDAP aka OpenLDAP 1.x */ | |
932 | rc = ldap_result2error(lcp->ld, result, 0); | |
933 | error1 = ldap_err2string(rc); | |
934 | error2 = lcp->ld->ld_error; | |
935 | matched = lcp->ld->ld_matched; | |
936 | #endif | |
937 | ||
938 | /* Process the status as follows: | |
939 | ||
940 | (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the | |
941 | truncated result list. | |
942 | ||
21eb6e72 PH |
943 | (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a |
944 | submitted patch that is reported to "do the right thing" with Solaris | |
945 | LDAP libraries. (The problem it addresses apparently does not occur with | |
946 | Open LDAP.) | |
947 | ||
948 | (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that | |
0756eb3c PH |
949 | object does not, or cannot, exist in the database". For those cases we |
950 | fail the lookup. | |
951 | ||
21eb6e72 | 952 | (4) All other non-successes here are treated as some kind of problem with |
0756eb3c PH |
953 | the lookup, so return DEFER (which is the default in error_yield). |
954 | */ | |
955 | ||
42c7f0b4 | 956 | DEBUG(D_lookup) debug_printf_indent("ldap_parse_result yielded %d: %s\n", |
0756eb3c PH |
957 | rc, ldap_err2string(rc)); |
958 | ||
21eb6e72 PH |
959 | if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED |
960 | #ifdef LDAP_RES_SEARCH_REFERENCE | |
961 | && rc != LDAP_RES_SEARCH_REFERENCE | |
962 | #endif | |
963 | ) | |
0756eb3c PH |
964 | { |
965 | *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s", | |
966 | rc, | |
d9cb3c45 JH |
967 | error1 ? error1 : US"", |
968 | error2 && error2[0] ? US"/" : US"", | |
969 | error2 ? error2 : US"", | |
970 | matched && matched[0] ? US"/" : US"", | |
971 | matched ? matched : US""); | |
0756eb3c | 972 | |
d9cb3c45 | 973 | #if defined LDAP_NAME_ERROR |
0756eb3c | 974 | if (LDAP_NAME_ERROR(rc)) |
d9cb3c45 | 975 | #elif defined NAME_ERROR /* OPENLDAP1 calls it this */ |
0756eb3c | 976 | if (NAME_ERROR(rc)) |
d9cb3c45 | 977 | #else |
0756eb3c | 978 | if (rc == LDAP_NO_SUCH_OBJECT) |
d9cb3c45 | 979 | #endif |
0756eb3c PH |
980 | |
981 | { | |
42c7f0b4 | 982 | DEBUG(D_lookup) debug_printf_indent("lookup failure forced\n"); |
0756eb3c PH |
983 | error_yield = FAIL; |
984 | } | |
985 | goto RETURN_ERROR; | |
986 | } | |
987 | ||
988 | /* The search succeeded. Check if we have too many results */ | |
989 | ||
990 | if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1) | |
991 | { | |
992 | *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned " | |
993 | "(filter not specific enough?)", rescount); | |
994 | goto RETURN_ERROR_BREAK; | |
995 | } | |
996 | ||
997 | /* Check if we have too few (zero) entries */ | |
998 | ||
999 | if (rescount < 1) | |
1000 | { | |
f3ebb786 | 1001 | *errmsg = US"LDAP search: no results"; |
0756eb3c PH |
1002 | error_yield = FAIL; |
1003 | goto RETURN_ERROR_BREAK; | |
1004 | } | |
1005 | ||
1006 | /* If an entry was found, but it had no attributes, we behave as if no entries | |
1007 | were found, that is, the lookup failed. */ | |
1008 | ||
1009 | if (!attribute_found) | |
1010 | { | |
1011 | *errmsg = US"LDAP search: found no attributes"; | |
1012 | error_yield = FAIL; | |
1013 | goto RETURN_ERROR; | |
1014 | } | |
1015 | ||
1016 | /* Otherwise, it's all worked */ | |
1017 | ||
42c7f0b4 | 1018 | DEBUG(D_lookup) debug_printf_indent("LDAP search: returning: %s\n", data->s); |
acec9514 | 1019 | *res = data->s; |
0756eb3c PH |
1020 | |
1021 | RETURN_OK: | |
d9cb3c45 | 1022 | if (result) ldap_msgfree(result); |
0756eb3c PH |
1023 | ldap_free_urldesc(ludp); |
1024 | return OK; | |
1025 | ||
1026 | /* Error returns */ | |
1027 | ||
1028 | RETURN_ERROR_BREAK: | |
1029 | *defer_break = TRUE; | |
1030 | ||
1031 | RETURN_ERROR: | |
42c7f0b4 | 1032 | DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg); |
0756eb3c PH |
1033 | |
1034 | RETURN_ERROR_NOMSG: | |
d9cb3c45 JH |
1035 | if (result) ldap_msgfree(result); |
1036 | if (ludp) ldap_free_urldesc(ludp); | |
0756eb3c PH |
1037 | |
1038 | #if defined LDAP_LIB_OPENLDAP2 | |
d9cb3c45 JH |
1039 | if (error2) ldap_memfree(error2); |
1040 | if (matched) ldap_memfree(matched); | |
0756eb3c PH |
1041 | #endif |
1042 | ||
1043 | return error_yield; | |
1044 | } | |
1045 | ||
1046 | ||
1047 | ||
1048 | /************************************************* | |
1049 | * Internal search control function * | |
1050 | *************************************************/ | |
1051 | ||
1052 | /* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(), | |
1053 | and eldapm_find() with a difference in the "search_type" argument. It controls | |
1054 | calls to perform_ldap_search() which actually does the work. We call that | |
1055 | repeatedly for certain types of defer in the case when the URL contains no host | |
1056 | name and eldap_default_servers is set to a list of servers to try. This gives | |
1057 | more control than just passing over a list of hosts to ldap_open() because it | |
1058 | handles other kinds of defer as well as just a failure to open. Note that the | |
1059 | URL is defined to contain either zero or one "hostport" only. | |
1060 | ||
1061 | Parameter data in addition to the URL can be passed as preceding text in the | |
1062 | string, as items of the form XXX=yyy. The URL itself can be detected because it | |
1063 | must begin "ldapx://", where x is empty, s, or i. | |
1064 | ||
1065 | Arguments: | |
1066 | ldap_url the URL to be looked up, optionally preceded by other parameter | |
1067 | settings | |
1068 | search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries | |
1069 | SEARCH_LDAP_SINGLE allows values from one entry only | |
1070 | SEARCH_LDAP_DN gets the DN from one entry | |
1071 | res set to point at the result | |
1072 | errmsg set to point a message if result is not OK | |
1073 | ||
1074 | Returns: OK or FAIL or DEFER | |
1075 | */ | |
1076 | ||
1077 | static int | |
55414b25 | 1078 | control_ldap_search(const uschar *ldap_url, int search_type, uschar **res, |
0756eb3c PH |
1079 | uschar **errmsg) |
1080 | { | |
1081 | BOOL defer_break = FALSE; | |
1082 | int timelimit = LDAP_NO_LIMIT; | |
1083 | int sizelimit = LDAP_NO_LIMIT; | |
7c7ad977 | 1084 | int tcplimit = 0; |
0756eb3c | 1085 | int sep = 0; |
6ec97b1b PH |
1086 | int dereference = LDAP_DEREF_NEVER; |
1087 | void* referrals = LDAP_OPT_ON; | |
55414b25 JH |
1088 | const uschar *url = ldap_url; |
1089 | const uschar *p; | |
0756eb3c PH |
1090 | uschar *user = NULL; |
1091 | uschar *password = NULL; | |
deae092e | 1092 | uschar *local_servers = NULL; |
55414b25 JH |
1093 | uschar *server; |
1094 | const uschar *list; | |
0756eb3c PH |
1095 | uschar buffer[512]; |
1096 | ||
1097 | while (isspace(*url)) url++; | |
1098 | ||
1099 | /* Until the string begins "ldap", search for the other parameter settings that | |
1100 | are recognized. They are of the form NAME=VALUE, with the value being | |
1101 | optionally double-quoted. There must still be a space after it, however. No | |
1102 | NAME has the value "ldap". */ | |
1103 | ||
1104 | while (strncmpic(url, US"ldap", 4) != 0) | |
1105 | { | |
55414b25 | 1106 | const uschar *name = url; |
870ce70e | 1107 | while (*url && *url != '=') url++; |
0756eb3c PH |
1108 | if (*url == '=') |
1109 | { | |
1110 | int namelen; | |
1111 | uschar *value; | |
1112 | namelen = ++url - name; | |
1113 | value = string_dequote(&url); | |
1114 | if (isspace(*url)) | |
1115 | { | |
1116 | if (strncmpic(name, US"USER=", namelen) == 0) user = value; | |
1117 | else if (strncmpic(name, US"PASS=", namelen) == 0) password = value; | |
1118 | else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value); | |
1119 | else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value); | |
7c7ad977 PH |
1120 | else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value); |
1121 | else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value); | |
deae092e | 1122 | else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value; |
0756eb3c PH |
1123 | |
1124 | /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */ | |
1125 | ||
1126 | #ifdef LDAP_OPT_DEREF | |
1127 | else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0) | |
1128 | { | |
1129 | if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER; | |
1130 | else if (strcmpic(value, US"searching") == 0) | |
1131 | dereference = LDAP_DEREF_SEARCHING; | |
1132 | else if (strcmpic(value, US"finding") == 0) | |
1133 | dereference = LDAP_DEREF_FINDING; | |
1134 | if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS; | |
1135 | } | |
1136 | #else | |
1137 | else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0) | |
1138 | { | |
1139 | *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP " | |
1140 | "library - cannot use \"dereference\""); | |
42c7f0b4 | 1141 | DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg); |
0756eb3c PH |
1142 | return DEFER; |
1143 | } | |
6ec97b1b | 1144 | #endif |
0756eb3c | 1145 | |
6ec97b1b PH |
1146 | #ifdef LDAP_OPT_REFERRALS |
1147 | else if (strncmpic(name, US"REFERRALS=", namelen) == 0) | |
1148 | { | |
1149 | if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON; | |
1150 | else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF; | |
1151 | else | |
1152 | { | |
f3ebb786 | 1153 | *errmsg = US"LDAP option REFERRALS is not \"follow\" or \"nofollow\""; |
42c7f0b4 | 1154 | DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg); |
6ec97b1b PH |
1155 | return DEFER; |
1156 | } | |
1157 | } | |
1158 | #else | |
1159 | else if (strncmpic(name, US"REFERRALS=", namelen) == 0) | |
1160 | { | |
1161 | *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP " | |
1162 | "library - cannot use \"referrals\""); | |
42c7f0b4 | 1163 | DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg); |
6ec97b1b PH |
1164 | return DEFER; |
1165 | } | |
0756eb3c PH |
1166 | #endif |
1167 | ||
1168 | else | |
1169 | { | |
1170 | *errmsg = | |
1171 | string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL", | |
1172 | namelen, name); | |
42c7f0b4 | 1173 | DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg); |
0756eb3c PH |
1174 | return DEFER; |
1175 | } | |
1176 | while (isspace(*url)) url++; | |
1177 | continue; | |
1178 | } | |
1179 | } | |
1180 | *errmsg = US"malformed parameter setting precedes LDAP URL"; | |
42c7f0b4 | 1181 | DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg); |
0756eb3c PH |
1182 | return DEFER; |
1183 | } | |
1184 | ||
1185 | /* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves, | |
1186 | but it seems that not all behave like this. The DN for the user is often the | |
1187 | result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because | |
1188 | that is needed when the DN is used as a base DN in a query. Sigh. This is all | |
1189 | far too complicated. */ | |
1190 | ||
870ce70e | 1191 | if (user) |
0756eb3c | 1192 | { |
0756eb3c | 1193 | uschar *t = user; |
d7978c0f | 1194 | for (uschar * s = user; *s != 0; s++) |
0756eb3c PH |
1195 | { |
1196 | int c, d; | |
1197 | if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2])) | |
1198 | { | |
1199 | c = tolower(c); | |
1200 | d = tolower(d); | |
1201 | *t++ = | |
1202 | (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) | | |
1203 | ((d >= 'a')? (10 + d - 'a') : d - '0'); | |
1204 | s += 2; | |
1205 | } | |
1206 | else *t++ = *s; | |
1207 | } | |
1208 | *t = 0; | |
1209 | } | |
1210 | ||
1211 | DEBUG(D_lookup) | |
42c7f0b4 | 1212 | debug_printf_indent("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d " |
6ec97b1b | 1213 | "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit, |
870ce70e | 1214 | tcplimit, dereference, referrals == LDAP_OPT_ON ? "on" : "off"); |
0756eb3c PH |
1215 | |
1216 | /* If the request is just to check authentication, some credentials must | |
1217 | be given. The password must not be empty because LDAP binds with an empty | |
1218 | password are considered anonymous, and will succeed on most installations. */ | |
1219 | ||
1220 | if (search_type == SEARCH_LDAP_AUTH) | |
1221 | { | |
870ce70e | 1222 | if (!user || !password) |
0756eb3c PH |
1223 | { |
1224 | *errmsg = US"ldapauth lookups must specify the username and password"; | |
1225 | return DEFER; | |
1226 | } | |
870ce70e | 1227 | if (!*password) |
0756eb3c | 1228 | { |
42c7f0b4 | 1229 | DEBUG(D_lookup) debug_printf_indent("Empty password: ldapauth returns FAIL\n"); |
0756eb3c PH |
1230 | return FAIL; |
1231 | } | |
1232 | } | |
1233 | ||
1234 | /* Check for valid ldap url starters */ | |
1235 | ||
1236 | p = url + 4; | |
1237 | if (tolower(*p) == 's' || tolower(*p) == 'i') p++; | |
1238 | if (Ustrncmp(p, "://", 3) != 0) | |
1239 | { | |
1240 | *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", " | |
1241 | "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url); | |
42c7f0b4 | 1242 | DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg); |
0756eb3c PH |
1243 | return DEFER; |
1244 | } | |
1245 | ||
1246 | /* No default servers, or URL contains a server name: just one attempt */ | |
1247 | ||
870ce70e | 1248 | if (!eldap_default_servers && !local_servers || p[3] != '/') |
0756eb3c | 1249 | return perform_ldap_search(url, NULL, 0, search_type, res, errmsg, |
6ec97b1b PH |
1250 | &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference, |
1251 | referrals); | |
0756eb3c | 1252 | |
deae092e HS |
1253 | /* Loop through the default servers until OK or FAIL. Use local_servers list |
1254 | * if defined in the lookup, otherwise use the global default list */ | |
870ce70e JH |
1255 | list = !local_servers ? eldap_default_servers : local_servers; |
1256 | while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) | |
0756eb3c PH |
1257 | { |
1258 | int rc; | |
1259 | int port = 0; | |
1260 | uschar *colon = Ustrchr(server, ':'); | |
870ce70e | 1261 | if (colon) |
0756eb3c PH |
1262 | { |
1263 | *colon = 0; | |
1264 | port = Uatoi(colon+1); | |
1265 | } | |
1266 | rc = perform_ldap_search(url, server, port, search_type, res, errmsg, | |
6ec97b1b PH |
1267 | &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference, |
1268 | referrals); | |
0756eb3c PH |
1269 | if (rc != DEFER || defer_break) return rc; |
1270 | } | |
1271 | ||
1272 | return DEFER; | |
1273 | } | |
1274 | ||
1275 | ||
1276 | ||
1277 | /************************************************* | |
1278 | * Find entry point * | |
1279 | *************************************************/ | |
1280 | ||
1281 | /* See local README for interface description. The different kinds of search | |
1282 | are handled by a common function, with a flag to differentiate between them. | |
1283 | The handle and filename arguments are not used. */ | |
1284 | ||
e6d225ae | 1285 | static int |
d447dbd1 | 1286 | eldap_find(void * handle, const uschar * filename, const uschar * ldap_url, |
67a57a5a JH |
1287 | int length, uschar ** result, uschar ** errmsg, uint * do_cache, |
1288 | const uschar * opts) | |
0756eb3c PH |
1289 | { |
1290 | /* Keep picky compilers happy */ | |
1291 | do_cache = do_cache; | |
1292 | return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg)); | |
1293 | } | |
1294 | ||
e6d225ae | 1295 | static int |
d447dbd1 | 1296 | eldapm_find(void * handle, const uschar * filename, const uschar * ldap_url, |
67a57a5a JH |
1297 | int length, uschar ** result, uschar ** errmsg, uint * do_cache, |
1298 | const uschar * opts) | |
0756eb3c PH |
1299 | { |
1300 | /* Keep picky compilers happy */ | |
1301 | do_cache = do_cache; | |
1302 | return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg)); | |
1303 | } | |
1304 | ||
e6d225ae | 1305 | static int |
d447dbd1 | 1306 | eldapdn_find(void * handle, const uschar * filename, const uschar * ldap_url, |
67a57a5a JH |
1307 | int length, uschar ** result, uschar ** errmsg, uint * do_cache, |
1308 | const uschar * opts) | |
0756eb3c PH |
1309 | { |
1310 | /* Keep picky compilers happy */ | |
1311 | do_cache = do_cache; | |
1312 | return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg)); | |
1313 | } | |
1314 | ||
1315 | int | |
d447dbd1 JH |
1316 | eldapauth_find(void * handle, const uschar * filename, const uschar * ldap_url, |
1317 | int length, uschar ** result, uschar ** errmsg, uint * do_cache) | |
0756eb3c PH |
1318 | { |
1319 | /* Keep picky compilers happy */ | |
1320 | do_cache = do_cache; | |
1321 | return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg)); | |
1322 | } | |
1323 | ||
1324 | ||
1325 | ||
1326 | /************************************************* | |
1327 | * Open entry point * | |
1328 | *************************************************/ | |
1329 | ||
1330 | /* See local README for interface description. */ | |
1331 | ||
e6d225ae | 1332 | static void * |
d447dbd1 | 1333 | eldap_open(const uschar * filename, uschar ** errmsg) |
0756eb3c PH |
1334 | { |
1335 | return (void *)(1); /* Just return something non-null */ | |
1336 | } | |
1337 | ||
1338 | ||
1339 | ||
1340 | /************************************************* | |
1341 | * Tidy entry point * | |
1342 | *************************************************/ | |
1343 | ||
1344 | /* See local README for interface description. | |
1345 | Make sure that eldap_dn does not refer to reclaimed or worse, freed store */ | |
1346 | ||
e6d225ae | 1347 | static void |
0756eb3c PH |
1348 | eldap_tidy(void) |
1349 | { | |
1350 | LDAP_CONNECTION *lcp = NULL; | |
1351 | eldap_dn = NULL; | |
1352 | ||
1353 | while ((lcp = ldap_connections) != NULL) | |
1354 | { | |
42c7f0b4 | 1355 | DEBUG(D_lookup) debug_printf_indent("unbind LDAP connection to %s:%d\n", lcp->host, |
0756eb3c | 1356 | lcp->port); |
ff2c417d TL |
1357 | if(lcp->bound == TRUE) |
1358 | ldap_unbind(lcp->ld); | |
0756eb3c PH |
1359 | ldap_connections = lcp->next; |
1360 | } | |
1361 | } | |
1362 | ||
1363 | ||
1364 | ||
1365 | /************************************************* | |
1366 | * Quote entry point * | |
1367 | *************************************************/ | |
1368 | ||
1369 | /* LDAP quoting is unbelievably messy. For a start, two different levels of | |
1370 | quoting have to be done: LDAP quoting, and URL quoting. The current | |
1371 | specification is the result of a suggestion by Brian Candler. It recognizes | |
1372 | two separate cases: | |
1373 | ||
1374 | (1) For text that appears in a search filter, the following escapes are | |
1375 | required (see RFC 2254): | |
1376 | ||
1377 | * -> \2A | |
1378 | ( -> \28 | |
1379 | ) -> \29 | |
1380 | \ -> \5C | |
1381 | NULL -> \00 | |
1382 | ||
1383 | Then the entire filter text must be URL-escaped. This kind of quoting is | |
1384 | implemented by ${quote_ldap:....}. Note that we can never have a NULL | |
1385 | in the input string, because that's a terminator. | |
1386 | ||
1387 | (2) For a DN that is part of a URL (i.e. the base DN), the characters | |
1388 | ||
1389 | , + " \ < > ; | |
1390 | ||
1391 | must be quoted by backslashing. See RFC 2253. Leading and trailing spaces | |
1392 | must be escaped, as must a leading #. Then the string must be URL-quoted. | |
1393 | This type of quoting is implemented by ${quote_ldap_dn:....}. | |
1394 | ||
1395 | For URL quoting, the only characters that need not be quoted are the | |
1396 | alphamerics and | |
1397 | ||
1398 | ! $ ' ( ) * + - . _ | |
1399 | ||
1400 | All the others must be hexified and preceded by %. This includes the | |
1401 | backslashes used for LDAP quoting. | |
1402 | ||
1403 | For a DN that is given in the USER parameter for authentication, we need the | |
1404 | same initial quoting as (2) but in this case, the result must NOT be | |
1405 | URL-escaped, because it isn't a URL. The way this is handled is by | |
1406 | de-URL-quoting the text when processing the USER parameter in | |
1407 | control_ldap_search() above. That means that the same quote operator can be | |
1408 | used. This has the additional advantage that spaces in the DN won't cause | |
1409 | parsing problems. For example: | |
1410 | ||
1411 | USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com | |
1412 | ||
1413 | should be safe if there are spaces in $1. | |
1414 | ||
1415 | ||
1416 | Arguments: | |
1417 | s the string to be quoted | |
1418 | opt additional option text or NULL if none | |
1419 | only "dn" is recognized | |
1420 | ||
1421 | Returns: the processed string or NULL for a bad option | |
1422 | */ | |
1423 | ||
1424 | ||
1425 | ||
1426 | /* The characters in this string, together with alphanumerics, never need | |
1427 | quoting in any way. */ | |
1428 | ||
1429 | #define ALWAYS_LITERAL "!$'-._" | |
1430 | ||
1431 | /* The special characters in this string do not need to be URL-quoted. The set | |
1432 | is a bit larger than the general literals. */ | |
1433 | ||
1434 | #define URL_NONQUOTE ALWAYS_LITERAL "()*+" | |
1435 | ||
1436 | /* The following macros define the characters that are quoted by quote_ldap and | |
1437 | quote_ldap_dn, respectively. */ | |
1438 | ||
1439 | #define LDAP_QUOTE "*()\\" | |
1440 | #define LDAP_DN_QUOTE ",+\"\\<>;" | |
1441 | ||
1442 | ||
1443 | ||
e6d225ae | 1444 | static uschar * |
0756eb3c PH |
1445 | eldap_quote(uschar *s, uschar *opt) |
1446 | { | |
1447 | register int c; | |
1448 | int count = 0; | |
1449 | int len = 0; | |
1450 | BOOL dn = FALSE; | |
1451 | uschar *t = s; | |
1452 | uschar *quoted; | |
1453 | ||
1454 | /* Test for a DN quotation. */ | |
1455 | ||
1456 | if (opt != NULL) | |
1457 | { | |
1458 | if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */ | |
1459 | dn = TRUE; | |
1460 | } | |
1461 | ||
1462 | /* Compute how much extra store we need for the string. This doesn't have to be | |
1463 | exact as long as it isn't an underestimate. The worst case is the addition of 5 | |
1464 | extra bytes for a single character. This occurs for certain characters in DNs, | |
1465 | where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each | |
1466 | possibly escaped character. The really fast way would be just to test for | |
1467 | non-alphanumerics, but it is probably better to spot a few others that are | |
1468 | never escaped, because if there are no specials at all, we can avoid copying | |
1469 | the string. */ | |
1470 | ||
1471 | while ((c = *t++) != 0) | |
1472 | { | |
1473 | len++; | |
1474 | if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5; | |
1475 | } | |
1476 | if (count == 0) return s; | |
1477 | ||
1478 | /* Get sufficient store to hold the quoted string */ | |
1479 | ||
f3ebb786 | 1480 | t = quoted = store_get(len + count + 1, is_tainted(s)); |
0756eb3c PH |
1481 | |
1482 | /* Handle plain quote_ldap */ | |
1483 | ||
1484 | if (!dn) | |
1485 | { | |
1486 | while ((c = *s++) != 0) | |
1487 | { | |
1488 | if (!isalnum(c)) | |
1489 | { | |
1490 | if (Ustrchr(LDAP_QUOTE, c) != NULL) | |
1491 | { | |
1492 | sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */ | |
1493 | t += 5; | |
1494 | continue; | |
1495 | } | |
1496 | if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */ | |
1497 | { | |
1498 | sprintf(CS t, "%%%02X", c); | |
1499 | t += 3; | |
1500 | continue; | |
1501 | } | |
1502 | } | |
1503 | *t++ = c; /* unquoted character */ | |
1504 | } | |
1505 | } | |
1506 | ||
1507 | /* Handle quote_ldap_dn */ | |
1508 | ||
1509 | else | |
1510 | { | |
1511 | uschar *ss = s + len; | |
1512 | ||
1513 | /* Find the last char before any trailing spaces */ | |
1514 | ||
1515 | while (ss > s && ss[-1] == ' ') ss--; | |
1516 | ||
1517 | /* Quote leading spaces and sharps */ | |
1518 | ||
1519 | for (; s < ss; s++) | |
1520 | { | |
1521 | if (*s != ' ' && *s != '#') break; | |
1522 | sprintf(CS t, "%%5C%%%02X", *s); | |
1523 | t += 6; | |
1524 | } | |
1525 | ||
1526 | /* Handle the rest of the string, up to the trailing spaces */ | |
1527 | ||
1528 | while (s < ss) | |
1529 | { | |
1530 | c = *s++; | |
1531 | if (!isalnum(c)) | |
1532 | { | |
1533 | if (Ustrchr(LDAP_DN_QUOTE, c) != NULL) | |
1534 | { | |
f3ebb786 | 1535 | Ustrncpy(t, US"%5C", 3); /* insert \ where needed */ |
0756eb3c PH |
1536 | t += 3; /* fall through to check URL */ |
1537 | } | |
1538 | if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */ | |
1539 | { | |
1540 | sprintf(CS t, "%%%02X", c); | |
1541 | t += 3; | |
1542 | continue; | |
1543 | } | |
1544 | } | |
1545 | *t++ = c; /* unquoted character, or non-URL quoted after %5C */ | |
1546 | } | |
1547 | ||
1548 | /* Handle the trailing spaces */ | |
1549 | ||
1550 | while (*ss++ != 0) | |
1551 | { | |
f3ebb786 | 1552 | Ustrncpy(t, US"%5C%20", 6); |
0756eb3c PH |
1553 | t += 6; |
1554 | } | |
1555 | } | |
1556 | ||
1557 | /* Terminate the new string and return */ | |
1558 | ||
1559 | *t = 0; | |
1560 | return quoted; | |
1561 | } | |
1562 | ||
6545de78 PP |
1563 | |
1564 | ||
1565 | /************************************************* | |
1566 | * Version reporting entry point * | |
1567 | *************************************************/ | |
1568 | ||
1569 | /* See local README for interface description. */ | |
1570 | ||
1571 | #include "../version.h" | |
1572 | ||
1573 | void | |
1574 | ldap_version_report(FILE *f) | |
1575 | { | |
1576 | #ifdef DYNLOOKUP | |
1577 | fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR); | |
1578 | #endif | |
1579 | } | |
1580 | ||
1581 | ||
e6d225ae | 1582 | static lookup_info ldap_lookup_info = { |
9f400174 JH |
1583 | .name = US"ldap", /* lookup name */ |
1584 | .type = lookup_querystyle, /* query-style lookup */ | |
1585 | .open = eldap_open, /* open function */ | |
1586 | .check = NULL, /* check function */ | |
1587 | .find = eldap_find, /* find function */ | |
1588 | .close = NULL, /* no close function */ | |
1589 | .tidy = eldap_tidy, /* tidy function */ | |
1590 | .quote = eldap_quote, /* quoting function */ | |
1591 | .version_report = ldap_version_report /* version reporting */ | |
e6d225ae DW |
1592 | }; |
1593 | ||
1594 | static lookup_info ldapdn_lookup_info = { | |
9f400174 JH |
1595 | .name = US"ldapdn", /* lookup name */ |
1596 | .type = lookup_querystyle, /* query-style lookup */ | |
1597 | .open = eldap_open, /* sic */ /* open function */ | |
1598 | .check = NULL, /* check function */ | |
1599 | .find = eldapdn_find, /* find function */ | |
1600 | .close = NULL, /* no close function */ | |
1601 | .tidy = eldap_tidy, /* sic */ /* tidy function */ | |
1602 | .quote = eldap_quote, /* sic */ /* quoting function */ | |
1603 | .version_report = NULL /* no version reporting (redundant) */ | |
e6d225ae DW |
1604 | }; |
1605 | ||
1606 | static lookup_info ldapm_lookup_info = { | |
9f400174 JH |
1607 | .name = US"ldapm", /* lookup name */ |
1608 | .type = lookup_querystyle, /* query-style lookup */ | |
1609 | .open = eldap_open, /* sic */ /* open function */ | |
1610 | .check = NULL, /* check function */ | |
1611 | .find = eldapm_find, /* find function */ | |
1612 | .close = NULL, /* no close function */ | |
1613 | .tidy = eldap_tidy, /* sic */ /* tidy function */ | |
1614 | .quote = eldap_quote, /* sic */ /* quoting function */ | |
1615 | .version_report = NULL /* no version reporting (redundant) */ | |
e6d225ae DW |
1616 | }; |
1617 | ||
1618 | #ifdef DYNLOOKUP | |
1619 | #define ldap_lookup_module_info _lookup_module_info | |
1620 | #endif | |
1621 | ||
1622 | static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info }; | |
1623 | lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 }; | |
0756eb3c PH |
1624 | |
1625 | /* End of lookups/ldap.c */ |