projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix memory management vs acl-as-conditional, redux
[exim.git] / src / src / lookups / ldap.c
CommitLineData
0756eb3c
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
0756eb3c
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Many thanks to Stuart Lynne for contributing the original code for this
9driver. Further contibutions from Michael Haardt, Brian Candler, Barry
10Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
11researching how to handle the different kinds of error. */
12
13
14#include "../exim.h"
15#include "lf_functions.h"
0756eb3c
PH		 16
17
765b530f
PH		 18/* Include LDAP headers. The code below uses some "old" LDAP interfaces that
19are deprecated in OpenLDAP. I don't know their status in other LDAP
20implementations. LDAP_DEPRECATED causes their prototypes to be defined in
21ldap.h. */
22
23#define LDAP_DEPRECATED 1
0756eb3c
PH		 24
25#include <lber.h>
26#include <ldap.h>
27
28
29/* Annoyingly, the different LDAP libraries handle errors in different ways,
30and some other things too. There doesn't seem to be an automatic way of
31distinguishing between them. Local/Makefile should contain a setting of
32LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the
33different kinds. Those that matter are:
34
35LDAP_LIB_NETSCAPE
36LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7
37LDAP_LIB_OPENLDAP2
38
39These others may be defined, but are in fact the default, so are not tested:
40
41LDAP_LIB_UMICHIGAN
42LDAP_LIB_OPENLDAP1
43*/
44
45#if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS)
46#define LDAP_LIB_SOLARIS
47#endif
48
49
50/* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */
51
52#ifndef LDAP_NO_LIMIT
53#define LDAP_NO_LIMIT 0
54#endif
55
56
57/* Just in case LDAP_DEREF_NEVER is not defined */
58
59#ifndef LDAP_DEREF_NEVER
60#define LDAP_DEREF_NEVER 0
61#endif
62
63
0756eb3c
PH		 64/* Four types of LDAP search are implemented */
65
66#define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */
67#define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */
68#define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */
69#define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */
70
71/* In all 4 cases, the DN is left in $ldap_dn (which post-dates the
72SEARCH_LDAP_DN lookup). */
73
74
75/* Structure and anchor for caching connections. */
76
77typedef struct ldap_connection {
78 struct ldap_connection *next;
79 uschar *host;
80 uschar *user;
81 uschar *password;
82 BOOL bound;
83 int port;
a30a8861 84 BOOL is_start_tls_called;
0756eb3c
PH		 85 LDAP *ld;
86} LDAP_CONNECTION;
87
88static LDAP_CONNECTION *ldap_connections = NULL;
89
90
91
92/*************************************************
93* Internal search function *
94*************************************************/
95
96/* This is the function that actually does the work. It is called (indirectly
97via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(),
98and eldapm_find(), with a difference in the "search_type" argument.
99
100The case of eldapauth_find() is special in that all it does is do
101authentication, returning OK or FAIL as appropriate. This isn't used as a
102lookup. Instead, it is called from expand.c as an expansion condition test.
103
104The DN from a successful lookup is placed in $ldap_dn. This feature postdates
105the provision of the SEARCH_LDAP_DN facility for returning just the DN as the
106data.
107
108Arguments:
109 ldap_url the URL to be looked up
110 server server host name, when URL contains none
111 s_port server port, used when URL contains no name
112 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
113 SEARCH_LDAP_SINGLE allows values from one entry only
114 SEARCH_LDAP_DN gets the DN from one entry
115 res set to point at the result (not used for ldapauth)
116 errmsg set to point a message if result is not OK
117 defer_break set TRUE if no more servers to be tried after a DEFER
118 user user name for authentication, or NULL
119 password password for authentication, or NULL
120 sizelimit max number of entries returned, or 0 for no limit
121 timelimit max time to wait, or 0 for no limit
d00328e2 122 tcplimit max time for network activity, e.g. connect, or 0 for OS default
0756eb3c
PH		 123 deference the dereference option, which is one of
124 LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
6ec97b1b 125 referrals the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF
0756eb3c
PH		 126
127Returns: OK or FAIL or DEFER
128 FAIL is given only if a lookup was performed successfully, but
129 returned no data.
130*/
131
132static int
133perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type,
134 uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password,
6ec97b1b 135 int sizelimit, int timelimit, int tcplimit, int dereference, void *referrals)
0756eb3c
PH		 136{
137LDAPURLDesc *ludp = NULL;
138LDAPMessage *result = NULL;
139BerElement *ber;
140LDAP_CONNECTION *lcp;
141
142struct timeval timeout;
143struct timeval *timeoutptr = NULL;
144
145uschar *attr;
146uschar **attrp;
147uschar *data = NULL;
148uschar *dn = NULL;
149uschar *host;
150uschar **values;
151uschar **firstval;
152uschar porttext[16];
153
154uschar *error1 = NULL; /* string representation of errcode (static) */
155uschar *error2 = NULL; /* error message from the server */
156uschar *matched = NULL; /* partially matched DN */
157
158int attr_count = 0;
159int error_yield = DEFER;
160int msgid;
d38f8232 161int rc, ldap_rc, ldap_parse_rc;
0756eb3c
PH		 162int port;
163int ptr = 0;
164int rescount = 0;
165int size = 0;
166BOOL attribute_found = FALSE;
167BOOL ldapi = FALSE;
168
169DEBUG(D_lookup)
170 debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d "
171 "sizelimit=%d timelimit=%d tcplimit=%d\n",
172 (search_type == SEARCH_LDAP_MULTIPLE)? "m" :
173 (search_type == SEARCH_LDAP_DN)? "dn" :
174 (search_type == SEARCH_LDAP_AUTH)? "auth" : "",
175 ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
176
177/* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
178library that is in use doesn't recognize, say, "ldapi", it will barf here. */
179
180if (!ldap_is_ldap_url(CS ldap_url))
181 {
182 *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
183 ldap_url);
184 goto RETURN_ERROR_BREAK;
185 }
186
187/* Parse the URL */
188
189if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
190 {
191 *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
192 ldap_url);
193 goto RETURN_ERROR_BREAK;
194 }
195
196/* If the host name is empty, take it from the separate argument, if one is
197given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
198expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
1992.0.11 this has changed (it uses NULL). */
200
201if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL)
202 {
203 host = server;
204 port = s_port;
205 }
206else
207 {
208 host = US ludp->lud_host;
209 if (host != NULL && host[0] == 0) host = NULL;
210 port = ludp->lud_port;
211 }
212
213DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n",
214 host, port);
215
216if (port == 0) port = LDAP_PORT; /* Default if none given */
217sprintf(CS porttext, ":%d", port); /* For messages */
218
219/* If the "host name" is actually a path, we are going to connect using a Unix
220socket, regardless of whether "ldapi" was actually specified or not. This means
221that a Unix socket can be declared in eldap_default_servers, and "traditional"
222LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
223The path may start with "/" or it may already be escaped as "%2F" if it was
224actually declared that way in eldap_default_servers. (I did it that way the
225first time.) If the host name is not a path, the use of "ldapi" causes an
226error, except in the default case. (But lud_scheme doesn't seem to exist in
227older libraries.) */
228
229if (host != NULL)
230 {
231 if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
232 {
233 ldapi = TRUE;
234 porttext[0] = 0; /* Remove port from messages */
235 }
236
237 #if defined LDAP_LIB_OPENLDAP2
238 else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
239 {
240 *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
241 host);
242 goto RETURN_ERROR;
243 }
244 #endif
245 }
246
247/* Count the attributes; we need this later to tell us how to format results */
248
249for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
250 attr_count++;
251
252/* See if we can find a cached connection to this host. The port is not
253relevant for ldapi. The host name pointer is set to NULL if no host was given
254(implying the library default), rather than to the empty string. Note that in
255this case, there is no difference between ldap and ldapi. */
256
257for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next)
258 {
259 if ((host == NULL) != (lcp->host == NULL) ||
260 (host != NULL && strcmpic(lcp->host, host) != 0))
261 continue;
262 if (ldapi || port == lcp->port) break;
263 }
264
d00328e2
PH		 265/* Use this network timeout in any requests. */
266
267if (tcplimit > 0)
268 {
269 timeout.tv_sec = tcplimit;
270 timeout.tv_usec = 0;
271 timeoutptr = &timeout;
272 }
273
0756eb3c
PH		 274/* If no cached connection found, we must open a connection to the server. If
275the server name is actually an absolute path, we set ldapi=TRUE above. This
276requests connection via a Unix socket. However, as far as I know, only OpenLDAP
277supports the use of sockets, and the use of ldap_initialize(). */
278
279if (lcp == NULL)
280 {
281 LDAP *ld;
282
283
284 /* --------------------------- OpenLDAP ------------------------ */
285
286 /* There seems to be a preference under OpenLDAP for ldap_initialize()
287 instead of ldap_init(), though I have as yet been unable to find
288 documentation that says this. (OpenLDAP documentation is sparse to
289 non-existent). So we handle OpenLDAP differently here. Also, support for
290 ldapi seems to be OpenLDAP-only at present. */
291
292 #ifdef LDAP_LIB_OPENLDAP2
293
294 /* We now need an empty string for the default host. Get some store in which
295 to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
296 than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
297 than the host name + "ldaps:///" plus : and a port number, say 20 + the
298 length of the host name. What we get should accommodate both, easily. */
299
300 uschar *shost = (host == NULL)? US"" : host;
301 uschar *init_url = store_get(20 + 3 * Ustrlen(shost));
302 uschar *init_ptr;
303
304 /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
305 contain the path name, with slashes escaped as %2F. */
306
307 if (ldapi)
308 {
309 int ch;
310 init_ptr = init_url + 8;
311 Ustrcpy(init_url, "ldapi://");
312 while ((ch = *shost++) != 0)
313 {
314 if (ch == '/')
315 {
316 Ustrncpy(init_ptr, "%2F", 3);
317 init_ptr += 3;
318 }
319 else *init_ptr++ = ch;
320 }
321 *init_ptr = 0;
322 }
323
324 /* This is not an ldapi call. Just build a URI with the protocol type, host
325 name, and port. */
326
327 else
328 {
329 init_ptr = Ustrchr(ldap_url, '/');
330 Ustrncpy(init_url, ldap_url, init_ptr - ldap_url);
331 init_ptr = init_url + (init_ptr - ldap_url);
332 sprintf(CS init_ptr, "//%s:%d/", shost, port);
333 }
334
335 /* Call ldap_initialize() and check the result */
336
337 DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url);
338 rc = ldap_initialize(&ld, CS init_url);
339 if (rc != LDAP_SUCCESS)
340 {
341 *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
342 rc, init_url);
343 goto RETURN_ERROR;
344 }
345 store_reset(init_url); /* Might as well save memory when we can */
346
347
348 /* ------------------------- Not OpenLDAP ---------------------- */
349
350 /* For libraries other than OpenLDAP, use ldap_init(). */
351
352 #else /* LDAP_LIB_OPENLDAP2 */
353 ld = ldap_init(CS host, port);
354 #endif /* LDAP_LIB_OPENLDAP2 */
355
356 /* -------------------------------------------------------------- */
357
358
359 /* Handle failure to initialize */
360
361 if (ld == NULL)
362 {
363 *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
364 host, porttext, strerror(errno));
365 goto RETURN_ERROR;
366 }
367
368 /* Set the TCP connect time limit if available. This is something that is
369 in Netscape SDK v4.1; I don't know about other libraries. */
370
371 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT
7c7ad977
PH		 372 if (tcplimit > 0)
373 {
994a09e9 374 int timeout1000 = tcplimit*1000;
7c7ad977
PH		 375 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
376 }
994a09e9
PH		 377 else
378 {
379 int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
380 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&notimeout);
381 }
0756eb3c
PH		 382 #endif
383
7c7ad977
PH		 384 /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
385
386 #ifdef LDAP_OPT_NETWORK_TIMEOUT
387 if (tcplimit > 0)
388 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
8e669ac1 389 #endif
7c7ad977 390
0756eb3c
PH		 391 /* I could not get TLS to work until I set the version to 3. That version
392 seems to be the default nowadays. The RFC is dated 1997, so I would hope
393 that all the LDAP libraries support it. Therefore, if eldap_version hasn't
394 been set, go for v3 if we can. */
395
396 if (eldap_version < 0)
397 {
398 #ifdef LDAP_VERSION3
399 eldap_version = LDAP_VERSION3;
400 #else
401 eldap_version = 2;
402 #endif
403 }
404
405 #ifdef LDAP_OPT_PROTOCOL_VERSION
406 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
407 #endif
408
409 DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
410 eldap_version, host, porttext);
411
412 /* If not using ldapi and TLS is available, set appropriate TLS options: hard
413 for "ldaps" and soft otherwise. */
414
415 #ifdef LDAP_OPT_X_TLS
416 if (!ldapi)
417 {
418 int tls_option;
33382dd9
TL		 419 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
420 if (eldap_require_cert != NULL)
421 {
422 tls_option = LDAP_OPT_X_TLS_NEVER;
423 if (Ustrcmp(eldap_require_cert, "hard") == 0)
424 {
425 tls_option = LDAP_OPT_X_TLS_HARD;
426 }
427 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
428 {
429 tls_option = LDAP_OPT_X_TLS_DEMAND;
430 }
431 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
432 {
433 tls_option = LDAP_OPT_X_TLS_ALLOW;
434 }
435 else if (Ustrcmp(eldap_require_cert, "try") == 0)
436 {
437 tls_option = LDAP_OPT_X_TLS_TRY;
438 }
439 DEBUG(D_lookup)
440 debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
441 tls_option);
442 }
443 else
444 #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
0756eb3c
PH		 445 if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
446 {
447 tls_option = LDAP_OPT_X_TLS_HARD;
33382dd9
TL		 448 DEBUG(D_lookup)
449 debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
0756eb3c
PH		 450 }
451 else
452 {
453 tls_option = LDAP_OPT_X_TLS_TRY;
33382dd9
TL		 454 DEBUG(D_lookup)
455 debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
0756eb3c
PH		 456 }
457 ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
458 }
459 #endif /* LDAP_OPT_X_TLS */
460
bc19a55b
PP		 461 #ifdef LDAP_OPT_X_TLS_CACERTFILE
462 if (eldap_ca_cert_file != NULL)
463 {
464 ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
465 }
466 #endif
467 #ifdef LDAP_OPT_X_TLS_CACERTDIR
468 if (eldap_ca_cert_dir != NULL)
469 {
470 ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
471 }
472 #endif
473 #ifdef LDAP_OPT_X_TLS_CERTFILE
474 if (eldap_cert_file != NULL)
475 {
476 ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
477 }
478 #endif
479 #ifdef LDAP_OPT_X_TLS_KEYFILE
480 if (eldap_cert_key != NULL)
481 {
482 ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
483 }
484 #endif
485 #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
486 if (eldap_cipher_suite != NULL)
487 {
488 ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
489 }
490 #endif
491 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
492 if (eldap_require_cert != NULL)
493 {
494 int cert_option = LDAP_OPT_X_TLS_NEVER;
495 if (Ustrcmp(eldap_require_cert, "hard") == 0)
496 {
497 cert_option = LDAP_OPT_X_TLS_HARD;
498 }
499 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
500 {
501 cert_option = LDAP_OPT_X_TLS_DEMAND;
502 }
503 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
504 {
505 cert_option = LDAP_OPT_X_TLS_ALLOW;
506 }
507 else if (Ustrcmp(eldap_require_cert, "try") == 0)
508 {
509 cert_option = LDAP_OPT_X_TLS_TRY;
510 }
33382dd9
TL		 511 /* Use NULL ldap handle because is a global option */
512 ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
bc19a55b
PP		 513 }
514 #endif
515
0756eb3c
PH		 516 /* Now add this connection to the chain of cached connections */
517
518 lcp = store_get(sizeof(LDAP_CONNECTION));
519 lcp->host = (host == NULL)? NULL : string_copy(host);
520 lcp->bound = FALSE;
521 lcp->user = NULL;
522 lcp->password = NULL;
523 lcp->port = port;
524 lcp->ld = ld;
525 lcp->next = ldap_connections;
a30a8861 526 lcp->is_start_tls_called = FALSE;
0756eb3c
PH		 527 ldap_connections = lcp;
528 }
529
530/* Found cached connection */
531
532else
533 {
534 DEBUG(D_lookup)
535 debug_printf("re-using cached connection to LDAP server %s%s\n",
536 host, porttext);
537 }
538
539/* Bind with the user/password supplied, or an anonymous bind if these values
540are NULL, unless a cached connection is already bound with the same values. */
541
542if (!lcp->bound ||
543 (lcp->user == NULL && user != NULL) ||
544 (lcp->user != NULL && user == NULL) ||
545 (lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) ||
546 (lcp->password == NULL && password != NULL) ||
547 (lcp->password != NULL && password == NULL) ||
548 (lcp->password != NULL && password != NULL &&
549 Ustrcmp(lcp->password, password) != 0))
550 {
551 DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
552 (lcp->bound)? "re-" : "", user, password);
a30a8861 553 if (eldap_start_tls && !lcp->is_start_tls_called)
bc19a55b 554 {
d13cdd30
PP		 555#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
556 /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
557 * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
558 * export an ldap_start_tls_s symbol.
559 */
560 if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
561 {
562 *errmsg = string_sprintf("failed to initiate TLS processing on an "
563 "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
564 " %s", host, porttext, rc, ldap_err2string(rc));
565 goto RETURN_ERROR;
566 }
a30a8861 567 lcp->is_start_tls_called = TRUE;
d13cdd30
PP		 568#else
569 DEBUG(D_lookup)
570 debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
867fcbf5 571#endif
d13cdd30 572 }
7c7ad977
PH		 573 if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
574 == -1)
0756eb3c 575 {
7c7ad977 576 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
d00328e2 577 "%s%s - ldap_bind() returned -1", host, porttext);
7c7ad977
PH		 578 goto RETURN_ERROR;
579 }
0756eb3c 580
7c7ad977
PH		 581 if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
582 {
583 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
8e669ac1 584 "%s%s - LDAP error: %s", host, porttext,
7c7ad977
PH		 585 rc == -1 ? "result retrieval failed" : "timeout" );
586 result = NULL;
587 goto RETURN_ERROR;
588 }
589
590 rc = ldap_result2error( lcp->ld, result, 0 );
591
592 /* Invalid credentials when just checking credentials returns FAIL. This
593 stops any further servers being tried. */
0756eb3c 594
7c7ad977
PH		 595 if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
596 {
597 DEBUG(D_lookup)
598 debug_printf("Invalid credentials: ldapauth returns FAIL\n");
599 error_yield = FAIL;
600 goto RETURN_ERROR_NOMSG;
601 }
0756eb3c 602
7c7ad977
PH		 603 /* Otherwise we have a problem that doesn't stop further servers from being
604 tried. */
605
606 if (rc != LDAP_SUCCESS)
607 {
0756eb3c
PH		 608 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
609 "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
610 goto RETURN_ERROR;
611 }
612
613 /* Successful bind */
614
615 lcp->bound = TRUE;
616 lcp->user = (user == NULL)? NULL : string_copy(user);
617 lcp->password = (password == NULL)? NULL : string_copy(password);
7c7ad977
PH		 618
619 ldap_msgfree(result);
620 result = NULL;
0756eb3c
PH		 621 }
622
623/* If we are just checking credentials, return OK. */
624
625if (search_type == SEARCH_LDAP_AUTH)
626 {
627 DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n");
628 goto RETURN_OK;
629 }
630
631/* Before doing the search, set the time and size limits (if given). Here again
632the different implementations of LDAP have chosen to do things differently. */
633
634#if defined(LDAP_OPT_SIZELIMIT)
635ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
636ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
637#else
638lcp->ld->ld_sizelimit = sizelimit;
639lcp->ld->ld_timelimit = timelimit;
640#endif
641
642/* Similarly for dereferencing aliases. Don't know if this is possible on
643an LDAP library without LDAP_OPT_DEREF. */
644
645#if defined(LDAP_OPT_DEREF)
646ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
647#endif
648
6ec97b1b
PH		 649/* Similarly for the referral setting; should the library follow referrals that
650the LDAP server returns? The conditional is just in case someone uses a library
651without it. */
652
653#if defined(LDAP_OPT_REFERRALS)
654ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
655#endif
656
0756eb3c
PH		 657/* Start the search on the server. */
658
659DEBUG(D_lookup) debug_printf("Start search\n");
660
661msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
662 ludp->lud_attrs, 0);
663
664if (msgid == -1)
665 {
3ca0ba97
PH		 666 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
667 int err;
668 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
8e669ac1 669 *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
3ca0ba97 670 ldap_err2string(err));
8e669ac1
PH		 671
672 #else
3ca0ba97
PH		 673 *errmsg = string_sprintf("ldap_search failed");
674 #endif
8e669ac1 675
0756eb3c
PH		 676 goto RETURN_ERROR;
677 }
678
679/* Loop to pick up results as they come in, setting a timeout if one was
680given. */
681
0756eb3c
PH		 682while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
683 LDAP_RES_SEARCH_ENTRY)
684 {
685 LDAPMessage *e;
686
687 DEBUG(D_lookup) debug_printf("ldap_result loop\n");
688
689 for(e = ldap_first_entry(lcp->ld, result);
690 e != NULL;
691 e = ldap_next_entry(lcp->ld, e))
692 {
693 uschar *new_dn;
694 BOOL insert_space = FALSE;
695
696 DEBUG(D_lookup) debug_printf("LDAP entry loop\n");
697
698 rescount++; /* Count results */
699
700 /* Results for multiple entries values are separated by newlines. */
701
702 if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1);
703
704 /* Get the DN from the last result. */
705
706 new_dn = US ldap_get_dn(lcp->ld, e);
707 if (new_dn != NULL)
708 {
709 if (dn != NULL)
710 {
711 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
712 ldap_memfree(dn);
713 #else /* OPENLDAP 1, UMich, Solaris */
714 free(dn);
715 #endif
716 }
717 /* Save for later */
718 dn = new_dn;
719 }
720
721 /* If the data we want is actually the DN rather than any attribute values,
722 (an "ldapdn" search) add it to the data string. If there are multiple
723 entries, the DNs will be concatenated, but we test for this case below, as
724 for SEARCH_LDAP_SINGLE, and give an error. */
725
726 if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */
727 { /* condition, because of the else */
728 if (new_dn != NULL) /* below, that's for the first only */
729 {
730 data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn));
731 data[ptr] = 0;
732 attribute_found = TRUE;
733 }
734 }
735
736 /* Otherwise, loop through the entry, grabbing attribute values. If there's
737 only one attribute being retrieved, no attribute name is given, and the
738 result is not quoted. Multiple values are separated by (comma, space).
739 If more than one attribute is being retrieved, the data is given as a
740 sequence of name=value pairs, with the value always in quotes. If there are
741 multiple values, they are given within the quotes, comma separated. */
742
743 else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
744 attr != NULL;
745 attr = US ldap_next_attribute(lcp->ld, e, ber))
746 {
747 if (attr[0] != 0)
748 {
749 /* Get array of values for this attribute. */
750
751 if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
752 != NULL)
753 {
754 if (attr_count != 1)
755 {
756 if (insert_space)
757 data = string_cat(data, &size, &ptr, US" ", 1);
758 else
759 insert_space = TRUE;
760 data = string_cat(data, &size, &ptr, attr, Ustrlen(attr));
761 data = string_cat(data, &size, &ptr, US"=\"", 2);
762 }
763
764 while (*values != NULL)
765 {
766 uschar *value = *values;
767 int len = Ustrlen(value);
768
769 DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value);
770
771 if (values != firstval)
7bba24eb 772 data = string_cat(data, &size, &ptr, US",", 1);
0756eb3c
PH		 773
774 /* For multiple attributes, the data is in quotes. We must escape
7bba24eb 775 internal quotes, backslashes, newlines, and must double commas. */
0756eb3c
PH		 776
777 if (attr_count != 1)
778 {
779 int j;
780 for (j = 0; j < len; j++)
781 {
782 if (value[j] == '\n')
783 data = string_cat(data, &size, &ptr, US"\\n", 2);
7bba24eb
JH		 784 else if (value[j] == ',')
785 data = string_cat(data, &size, &ptr, US",,", 2);
0756eb3c
PH		 786 else
787 {
788 if (value[j] == '\"' || value[j] == '\\')
789 data = string_cat(data, &size, &ptr, US"\\", 1);
790 data = string_cat(data, &size, &ptr, value+j, 1);
791 }
792 }
793 }
794
7bba24eb
JH		 795 /* For single attributes, just double commas */
796
797 else
798 {
799 int j;
800 for (j = 0; j < len; j++)
801 {
802 if (value[j] == ',')
803 data = string_cat(data, &size, &ptr, US",,", 2);
804 else
805 data = string_cat(data, &size, &ptr, value+j, 1);
806 }
807 }
0756eb3c 808
0756eb3c
PH		 809
810 /* Move on to the next value */
811
812 values++;
813 attribute_found = TRUE;
814 }
815
816 /* Closing quote at the end of the data for a named attribute. */
817
818 if (attr_count != 1)
819 data = string_cat(data, &size, &ptr, US"\"", 1);
820
821 /* Free the values */
822
823 ldap_value_free(CSS firstval);
824 }
825 }
826
827 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
828
829 /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
830 to be freed. UMich LDAP stores them in static storage and does not require
831 this. */
832
833 ldap_memfree(attr);
834 #endif
835 } /* End "for" loop for extracting attributes from an entry */
836 } /* End "for" loop for extracting entries from a result */
837
838 /* Free the result */
839
840 ldap_msgfree(result);
841 result = NULL;
842 } /* End "while" loop for multiple results */
843
844/* Terminate the dynamic string that we have built and reclaim unused store */
845
846if (data != NULL)
847 {
848 data[ptr] = 0;
849 store_reset(data + ptr + 1);
850 }
851
852/* Copy the last dn into eldap_dn */
853
854if (dn != NULL)
855 {
856 eldap_dn = string_copy(dn);
857 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
858 ldap_memfree(dn);
859 #else /* OPENLDAP 1, UMich, Solaris */
860 free(dn);
861 #endif
862 }
863
864DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc);
865
866if (rc == 0)
867 {
868 *errmsg = US"ldap_result timed out";
869 goto RETURN_ERROR;
870 }
871
872/* A return code of -1 seems to mean "ldap_result failed internally or couldn't
873provide you with a message". Other error states seem to exist where
874ldap_result() didn't give us any message from the server at all, leaving result
875set to NULL. Apparently, "the error parameters of the LDAP session handle will
876be set accordingly". That's the best we can do to retrieve an error status; we
877can't use functions like ldap_result2error because they parse a message from
878the server, which we didn't get.
879
880Annoyingly, the different implementations of LDAP have gone for different
881methods of handling error codes and generating error messages. */
882
883if (rc == -1 || result == NULL)
884 {
885 int err;
886 DEBUG(D_lookup) debug_printf("ldap_result failed\n");
887
888 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
889 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
890 *errmsg = string_sprintf("ldap_result failed: %d, %s",
891 err, ldap_err2string(err));
892
893 #elif defined LDAP_LIB_NETSCAPE
894 /* Dubious (surely 'matched' is spurious here?) */
895 (void)ldap_get_lderrno(lcp->ld, &matched, &error1);
896 *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
897
898 #else /* UMich LDAP aka OpenLDAP 1.x */
899 *errmsg = string_sprintf("ldap_result failed: %d, %s",
900 lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
901 #endif
902
903 goto RETURN_ERROR;
904 }
905
906/* A return code that isn't -1 doesn't necessarily mean there were no problems
8e669ac1
PH		 907with the search. The message must be an LDAP_RES_SEARCH_RESULT or
908LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
909of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
3295e65b
PH		 910we don't provide that functionality when we can't. :-) */
911
8e669ac1 912if (rc != LDAP_RES_SEARCH_RESULT
3295e65b
PH		 913#ifdef LDAP_RES_SEARCH_REFERENCE
914 && rc != LDAP_RES_SEARCH_REFERENCE
8e669ac1 915#endif
3295e65b 916 )
0756eb3c
PH		 917 {
918 *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
919 goto RETURN_ERROR;
920 }
921
922/* We have a result message from the server. This doesn't yet mean all is well.
923We need to parse the message to find out exactly what's happened. */
924
d38f8232
PH		 925#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
926 ldap_rc = rc;
8e669ac1 927 ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
d38f8232
PH		 928 CSS &error2, NULL, NULL, 0);
929 DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
8e669ac1 930 if (ldap_parse_rc < 0 &&
3295e65b 931 (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
8e669ac1 932 #ifdef LDAP_RES_SEARCH_REFERENCE
3295e65b 933 || ldap_rc != LDAP_RES_SEARCH_REFERENCE
8e669ac1 934 #endif
3295e65b 935 ))
0756eb3c 936 {
d38f8232 937 *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
0756eb3c
PH		 938 goto RETURN_ERROR;
939 }
940 error1 = US ldap_err2string(rc);
941
942#elif defined LDAP_LIB_NETSCAPE
943 /* Dubious (it doesn't reference 'result' at all!) */
944 rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
945
946#else /* UMich LDAP aka OpenLDAP 1.x */
947 rc = ldap_result2error(lcp->ld, result, 0);
948 error1 = ldap_err2string(rc);
949 error2 = lcp->ld->ld_error;
950 matched = lcp->ld->ld_matched;
951#endif
952
953/* Process the status as follows:
954
955 (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
956 truncated result list.
957
21eb6e72
PH		 958 (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
959 submitted patch that is reported to "do the right thing" with Solaris
960 LDAP libraries. (The problem it addresses apparently does not occur with
961 Open LDAP.)
962
963 (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
0756eb3c
PH		 964 object does not, or cannot, exist in the database". For those cases we
965 fail the lookup.
966
21eb6e72 967 (4) All other non-successes here are treated as some kind of problem with
0756eb3c
PH		 968 the lookup, so return DEFER (which is the default in error_yield).
969*/
970
971DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
972 rc, ldap_err2string(rc));
973
21eb6e72
PH		 974if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
975 #ifdef LDAP_RES_SEARCH_REFERENCE
976 && rc != LDAP_RES_SEARCH_REFERENCE
977 #endif
978 )
0756eb3c
PH		 979 {
980 *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
981 rc,
982 (error1 != NULL)? error1 : US"",
983 (error2 != NULL && error2[0] != 0)? US"/" : US"",
984 (error2 != NULL)? error2 : US"",
985 (matched != NULL && matched[0] != 0)? US"/" : US"",
986 (matched != NULL)? matched : US"");
987
988 #if defined LDAP_NAME_ERROR
989 if (LDAP_NAME_ERROR(rc))
990 #elif defined NAME_ERROR /* OPENLDAP1 calls it this */
991 if (NAME_ERROR(rc))
992 #else
993 if (rc == LDAP_NO_SUCH_OBJECT)
994 #endif
995
996 {
997 DEBUG(D_lookup) debug_printf("lookup failure forced\n");
998 error_yield = FAIL;
999 }
1000 goto RETURN_ERROR;
1001 }
1002
1003/* The search succeeded. Check if we have too many results */
1004
1005if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
1006 {
1007 *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
1008 "(filter not specific enough?)", rescount);
1009 goto RETURN_ERROR_BREAK;
1010 }
1011
1012/* Check if we have too few (zero) entries */
1013
1014if (rescount < 1)
1015 {
1016 *errmsg = string_sprintf("LDAP search: no results");
1017 error_yield = FAIL;
1018 goto RETURN_ERROR_BREAK;
1019 }
1020
1021/* If an entry was found, but it had no attributes, we behave as if no entries
1022were found, that is, the lookup failed. */
1023
1024if (!attribute_found)
1025 {
1026 *errmsg = US"LDAP search: found no attributes";
1027 error_yield = FAIL;
1028 goto RETURN_ERROR;
1029 }
1030
1031/* Otherwise, it's all worked */
1032
1033DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
1034*res = data;
1035
1036RETURN_OK:
1037if (result != NULL) ldap_msgfree(result);
1038ldap_free_urldesc(ludp);
1039return OK;
1040
1041/* Error returns */
1042
1043RETURN_ERROR_BREAK:
1044*defer_break = TRUE;
1045
1046RETURN_ERROR:
1047DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1048
1049RETURN_ERROR_NOMSG:
1050if (result != NULL) ldap_msgfree(result);
1051if (ludp != NULL) ldap_free_urldesc(ludp);
1052
1053#if defined LDAP_LIB_OPENLDAP2
1054 if (error2 != NULL) ldap_memfree(error2);
1055 if (matched != NULL) ldap_memfree(matched);
1056#endif
1057
1058return error_yield;
1059}
1060
1061
1062
1063/*************************************************
1064* Internal search control function *
1065*************************************************/
1066
1067/* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(),
1068and eldapm_find() with a difference in the "search_type" argument. It controls
1069calls to perform_ldap_search() which actually does the work. We call that
1070repeatedly for certain types of defer in the case when the URL contains no host
1071name and eldap_default_servers is set to a list of servers to try. This gives
1072more control than just passing over a list of hosts to ldap_open() because it
1073handles other kinds of defer as well as just a failure to open. Note that the
1074URL is defined to contain either zero or one "hostport" only.
1075
1076Parameter data in addition to the URL can be passed as preceding text in the
1077string, as items of the form XXX=yyy. The URL itself can be detected because it
1078must begin "ldapx://", where x is empty, s, or i.
1079
1080Arguments:
1081 ldap_url the URL to be looked up, optionally preceded by other parameter
1082 settings
1083 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
1084 SEARCH_LDAP_SINGLE allows values from one entry only
1085 SEARCH_LDAP_DN gets the DN from one entry
1086 res set to point at the result
1087 errmsg set to point a message if result is not OK
1088
1089Returns: OK or FAIL or DEFER
1090*/
1091
1092static int
1093control_ldap_search(uschar *ldap_url, int search_type, uschar **res,
1094 uschar **errmsg)
1095{
1096BOOL defer_break = FALSE;
1097int timelimit = LDAP_NO_LIMIT;
1098int sizelimit = LDAP_NO_LIMIT;
7c7ad977 1099int tcplimit = 0;
0756eb3c 1100int sep = 0;
6ec97b1b
PH		 1101int dereference = LDAP_DEREF_NEVER;
1102void* referrals = LDAP_OPT_ON;
0756eb3c
PH		 1103uschar *url = ldap_url;
1104uschar *p;
1105uschar *user = NULL;
1106uschar *password = NULL;
1107uschar *server, *list;
1108uschar buffer[512];
1109
1110while (isspace(*url)) url++;
1111
1112/* Until the string begins "ldap", search for the other parameter settings that
1113are recognized. They are of the form NAME=VALUE, with the value being
1114optionally double-quoted. There must still be a space after it, however. No
1115NAME has the value "ldap". */
1116
1117while (strncmpic(url, US"ldap", 4) != 0)
1118 {
1119 uschar *name = url;
1120 while (*url != 0 && *url != '=') url++;
1121 if (*url == '=')
1122 {
1123 int namelen;
1124 uschar *value;
1125 namelen = ++url - name;
1126 value = string_dequote(&url);
1127 if (isspace(*url))
1128 {
1129 if (strncmpic(name, US"USER=", namelen) == 0) user = value;
1130 else if (strncmpic(name, US"PASS=", namelen) == 0) password = value;
1131 else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value);
1132 else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
7c7ad977
PH		 1133 else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
1134 else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
0756eb3c
PH		 1135
1136 /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
1137
1138 #ifdef LDAP_OPT_DEREF
1139 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1140 {
1141 if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER;
1142 else if (strcmpic(value, US"searching") == 0)
1143 dereference = LDAP_DEREF_SEARCHING;
1144 else if (strcmpic(value, US"finding") == 0)
1145 dereference = LDAP_DEREF_FINDING;
1146 if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS;
1147 }
1148 #else
1149 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1150 {
1151 *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP "
1152 "library - cannot use \"dereference\"");
1153 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1154 return DEFER;
1155 }
6ec97b1b 1156 #endif
0756eb3c 1157
6ec97b1b
PH		 1158 #ifdef LDAP_OPT_REFERRALS
1159 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1160 {
1161 if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON;
1162 else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF;
1163 else
1164 {
1165 *errmsg = string_sprintf("LDAP option REFERRALS is not \"follow\" "
1166 "or \"nofollow\"");
1167 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1168 return DEFER;
1169 }
1170 }
1171 #else
1172 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1173 {
1174 *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP "
1175 "library - cannot use \"referrals\"");
1176 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1177 return DEFER;
1178 }
0756eb3c
PH		 1179 #endif
1180
1181 else
1182 {
1183 *errmsg =
1184 string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL",
1185 namelen, name);
1186 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1187 return DEFER;
1188 }
1189 while (isspace(*url)) url++;
1190 continue;
1191 }
1192 }
1193 *errmsg = US"malformed parameter setting precedes LDAP URL";
1194 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1195 return DEFER;
1196 }
1197
1198/* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves,
1199but it seems that not all behave like this. The DN for the user is often the
1200result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because
1201that is needed when the DN is used as a base DN in a query. Sigh. This is all
1202far too complicated. */
1203
1204if (user != NULL)
1205 {
1206 uschar *s;
1207 uschar *t = user;
1208 for (s = user; *s != 0; s++)
1209 {
1210 int c, d;
1211 if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2]))
1212 {
1213 c = tolower(c);
1214 d = tolower(d);
1215 *t++ =
1216 (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) |
1217 ((d >= 'a')? (10 + d - 'a') : d - '0');
1218 s += 2;
1219 }
1220 else *t++ = *s;
1221 }
1222 *t = 0;
1223 }
1224
1225DEBUG(D_lookup)
1226 debug_printf("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d "
6ec97b1b
PH		 1227 "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit,
1228 tcplimit, dereference, (referrals == LDAP_OPT_ON)? "on" : "off");
0756eb3c
PH		 1229
1230/* If the request is just to check authentication, some credentials must
1231be given. The password must not be empty because LDAP binds with an empty
1232password are considered anonymous, and will succeed on most installations. */
1233
1234if (search_type == SEARCH_LDAP_AUTH)
1235 {
1236 if (user == NULL || password == NULL)
1237 {
1238 *errmsg = US"ldapauth lookups must specify the username and password";
1239 return DEFER;
1240 }
1241 if (password[0] == 0)
1242 {
1243 DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns FAIL\n");
1244 return FAIL;
1245 }
1246 }
1247
1248/* Check for valid ldap url starters */
1249
1250p = url + 4;
1251if (tolower(*p) == 's' || tolower(*p) == 'i') p++;
1252if (Ustrncmp(p, "://", 3) != 0)
1253 {
1254 *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", "
1255 "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url);
1256 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1257 return DEFER;
1258 }
1259
1260/* No default servers, or URL contains a server name: just one attempt */
1261
1262if (eldap_default_servers == NULL || p[3] != '/')
1263 {
1264 return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
6ec97b1b
PH		 1265 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1266 referrals);
0756eb3c
PH		 1267 }
1268
1269/* Loop through the default servers until OK or FAIL */
1270
1271list = eldap_default_servers;
1272while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
1273 {
1274 int rc;
1275 int port = 0;
1276 uschar *colon = Ustrchr(server, ':');
1277 if (colon != NULL)
1278 {
1279 *colon = 0;
1280 port = Uatoi(colon+1);
1281 }
1282 rc = perform_ldap_search(url, server, port, search_type, res, errmsg,
6ec97b1b
PH		 1283 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1284 referrals);
0756eb3c
PH		 1285 if (rc != DEFER || defer_break) return rc;
1286 }
1287
1288return DEFER;
1289}
1290
1291
1292
1293/*************************************************
1294* Find entry point *
1295*************************************************/
1296
1297/* See local README for interface description. The different kinds of search
1298are handled by a common function, with a flag to differentiate between them.
1299The handle and filename arguments are not used. */
1300
e6d225ae 1301static int
0756eb3c
PH		 1302eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1303 uschar **result, uschar **errmsg, BOOL *do_cache)
1304{
1305/* Keep picky compilers happy */
1306do_cache = do_cache;
1307return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
1308}
1309
e6d225ae 1310static int
0756eb3c
PH		 1311eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1312 uschar **result, uschar **errmsg, BOOL *do_cache)
1313{
1314/* Keep picky compilers happy */
1315do_cache = do_cache;
1316return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
1317}
1318
e6d225ae 1319static int
0756eb3c
PH		 1320eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1321 uschar **result, uschar **errmsg, BOOL *do_cache)
1322{
1323/* Keep picky compilers happy */
1324do_cache = do_cache;
1325return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
1326}
1327
1328int
1329eldapauth_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1330 uschar **result, uschar **errmsg, BOOL *do_cache)
1331{
1332/* Keep picky compilers happy */
1333do_cache = do_cache;
1334return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg));
1335}
1336
1337
1338
1339/*************************************************
1340* Open entry point *
1341*************************************************/
1342
1343/* See local README for interface description. */
1344
e6d225ae 1345static void *
0756eb3c
PH		 1346eldap_open(uschar *filename, uschar **errmsg)
1347{
1348return (void *)(1); /* Just return something non-null */
1349}
1350
1351
1352
1353/*************************************************
1354* Tidy entry point *
1355*************************************************/
1356
1357/* See local README for interface description.
1358Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
1359
e6d225ae 1360static void
0756eb3c
PH		 1361eldap_tidy(void)
1362{
1363LDAP_CONNECTION *lcp = NULL;
1364eldap_dn = NULL;
1365
1366while ((lcp = ldap_connections) != NULL)
1367 {
1368 DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
1369 lcp->port);
ff2c417d
TL		 1370 if(lcp->bound == TRUE)
1371 ldap_unbind(lcp->ld);
0756eb3c
PH		 1372 ldap_connections = lcp->next;
1373 }
1374}
1375
1376
1377
1378/*************************************************
1379* Quote entry point *
1380*************************************************/
1381
1382/* LDAP quoting is unbelievably messy. For a start, two different levels of
1383quoting have to be done: LDAP quoting, and URL quoting. The current
1384specification is the result of a suggestion by Brian Candler. It recognizes
1385two separate cases:
1386
1387(1) For text that appears in a search filter, the following escapes are
1388 required (see RFC 2254):
1389
1390 * -> \2A
1391 ( -> \28
1392 ) -> \29
1393 \ -> \5C
1394 NULL -> \00
1395
1396 Then the entire filter text must be URL-escaped. This kind of quoting is
1397 implemented by ${quote_ldap:....}. Note that we can never have a NULL
1398 in the input string, because that's a terminator.
1399
1400(2) For a DN that is part of a URL (i.e. the base DN), the characters
1401
1402 , + " \ < > ;
1403
1404 must be quoted by backslashing. See RFC 2253. Leading and trailing spaces
1405 must be escaped, as must a leading #. Then the string must be URL-quoted.
1406 This type of quoting is implemented by ${quote_ldap_dn:....}.
1407
1408For URL quoting, the only characters that need not be quoted are the
1409alphamerics and
1410
1411 ! $ ' ( ) * + - . _
1412
1413All the others must be hexified and preceded by %. This includes the
1414backslashes used for LDAP quoting.
1415
1416For a DN that is given in the USER parameter for authentication, we need the
1417same initial quoting as (2) but in this case, the result must NOT be
1418URL-escaped, because it isn't a URL. The way this is handled is by
1419de-URL-quoting the text when processing the USER parameter in
1420control_ldap_search() above. That means that the same quote operator can be
1421used. This has the additional advantage that spaces in the DN won't cause
1422parsing problems. For example:
1423
1424 USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com
1425
1426should be safe if there are spaces in $1.
1427
1428
1429Arguments:
1430 s the string to be quoted
1431 opt additional option text or NULL if none
1432 only "dn" is recognized
1433
1434Returns: the processed string or NULL for a bad option
1435*/
1436
1437
1438
1439/* The characters in this string, together with alphanumerics, never need
1440quoting in any way. */
1441
1442#define ALWAYS_LITERAL "!$'-._"
1443
1444/* The special characters in this string do not need to be URL-quoted. The set
1445is a bit larger than the general literals. */
1446
1447#define URL_NONQUOTE ALWAYS_LITERAL "()*+"
1448
1449/* The following macros define the characters that are quoted by quote_ldap and
1450quote_ldap_dn, respectively. */
1451
1452#define LDAP_QUOTE "*()\\"
1453#define LDAP_DN_QUOTE ",+\"\\<>;"
1454
1455
1456
e6d225ae 1457static uschar *
0756eb3c
PH		 1458eldap_quote(uschar *s, uschar *opt)
1459{
1460register int c;
1461int count = 0;
1462int len = 0;
1463BOOL dn = FALSE;
1464uschar *t = s;
1465uschar *quoted;
1466
1467/* Test for a DN quotation. */
1468
1469if (opt != NULL)
1470 {
1471 if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */
1472 dn = TRUE;
1473 }
1474
1475/* Compute how much extra store we need for the string. This doesn't have to be
1476exact as long as it isn't an underestimate. The worst case is the addition of 5
1477extra bytes for a single character. This occurs for certain characters in DNs,
1478where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each
1479possibly escaped character. The really fast way would be just to test for
1480non-alphanumerics, but it is probably better to spot a few others that are
1481never escaped, because if there are no specials at all, we can avoid copying
1482the string. */
1483
1484while ((c = *t++) != 0)
1485 {
1486 len++;
1487 if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5;
1488 }
1489if (count == 0) return s;
1490
1491/* Get sufficient store to hold the quoted string */
1492
1493t = quoted = store_get(len + count + 1);
1494
1495/* Handle plain quote_ldap */
1496
1497if (!dn)
1498 {
1499 while ((c = *s++) != 0)
1500 {
1501 if (!isalnum(c))
1502 {
1503 if (Ustrchr(LDAP_QUOTE, c) != NULL)
1504 {
1505 sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */
1506 t += 5;
1507 continue;
1508 }
1509 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1510 {
1511 sprintf(CS t, "%%%02X", c);
1512 t += 3;
1513 continue;
1514 }
1515 }
1516 *t++ = c; /* unquoted character */
1517 }
1518 }
1519
1520/* Handle quote_ldap_dn */
1521
1522else
1523 {
1524 uschar *ss = s + len;
1525
1526 /* Find the last char before any trailing spaces */
1527
1528 while (ss > s && ss[-1] == ' ') ss--;
1529
1530 /* Quote leading spaces and sharps */
1531
1532 for (; s < ss; s++)
1533 {
1534 if (*s != ' ' && *s != '#') break;
1535 sprintf(CS t, "%%5C%%%02X", *s);
1536 t += 6;
1537 }
1538
1539 /* Handle the rest of the string, up to the trailing spaces */
1540
1541 while (s < ss)
1542 {
1543 c = *s++;
1544 if (!isalnum(c))
1545 {
1546 if (Ustrchr(LDAP_DN_QUOTE, c) != NULL)
1547 {
1548 Ustrncpy(t, "%5C", 3); /* insert \ where needed */
1549 t += 3; /* fall through to check URL */
1550 }
1551 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1552 {
1553 sprintf(CS t, "%%%02X", c);
1554 t += 3;
1555 continue;
1556 }
1557 }
1558 *t++ = c; /* unquoted character, or non-URL quoted after %5C */
1559 }
1560
1561 /* Handle the trailing spaces */
1562
1563 while (*ss++ != 0)
1564 {
1565 Ustrncpy(t, "%5C%20", 6);
1566 t += 6;
1567 }
1568 }
1569
1570/* Terminate the new string and return */
1571
1572*t = 0;
1573return quoted;
1574}
1575
6545de78
PP		 1576
1577
1578/*************************************************
1579* Version reporting entry point *
1580*************************************************/
1581
1582/* See local README for interface description. */
1583
1584#include "../version.h"
1585
1586void
1587ldap_version_report(FILE *f)
1588{
1589#ifdef DYNLOOKUP
1590fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
1591#endif
1592}
1593
1594
e6d225ae
DW		 1595static lookup_info ldap_lookup_info = {
1596 US"ldap", /* lookup name */
1597 lookup_querystyle, /* query-style lookup */
1598 eldap_open, /* open function */
1599 NULL, /* check function */
1600 eldap_find, /* find function */
1601 NULL, /* no close function */
1602 eldap_tidy, /* tidy function */
6545de78
PP		 1603 eldap_quote, /* quoting function */
1604 ldap_version_report /* version reporting */
e6d225ae
DW		 1605};
1606
1607static lookup_info ldapdn_lookup_info = {
1608 US"ldapdn", /* lookup name */
1609 lookup_querystyle, /* query-style lookup */
1610 eldap_open, /* sic */ /* open function */
1611 NULL, /* check function */
1612 eldapdn_find, /* find function */
1613 NULL, /* no close function */
1614 eldap_tidy, /* sic */ /* tidy function */
6545de78
PP		 1615 eldap_quote, /* sic */ /* quoting function */
1616 NULL /* no version reporting (redundant) */
e6d225ae
DW		 1617};
1618
1619static lookup_info ldapm_lookup_info = {
1620 US"ldapm", /* lookup name */
1621 lookup_querystyle, /* query-style lookup */
1622 eldap_open, /* sic */ /* open function */
1623 NULL, /* check function */
1624 eldapm_find, /* find function */
1625 NULL, /* no close function */
1626 eldap_tidy, /* sic */ /* tidy function */
6545de78
PP		 1627 eldap_quote, /* sic */ /* quoting function */
1628 NULL /* no version reporting (redundant) */
e6d225ae
DW		 1629};
1630
1631#ifdef DYNLOOKUP
1632#define ldap_lookup_module_info _lookup_module_info
1633#endif
1634
1635static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
1636lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
0756eb3c
PH		 1637
1638/* End of lookups/ldap.c */
Unnamed repository; edit this file 'description' to name the repository.