projects / exim.git / blob
? search:


0c2c87fc3e0d73535b9a32504dde5073a87eb776
[exim.git] / src / src / lookups / ldap.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Many thanks to Stuart Lynne for contributing the original code for this
9 driver. Further contributions from Michael Haardt, Brian Candler, Barry
10 Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
11 researching how to handle the different kinds of error. */
12
13
14 #include "../exim.h"
15 #include "lf_functions.h"
16
17
18 /* Include LDAP headers. The code below uses some "old" LDAP interfaces that
19 are deprecated in OpenLDAP. I don't know their status in other LDAP
20 implementations. LDAP_DEPRECATED causes their prototypes to be defined in
21 ldap.h. */
22
23 #define LDAP_DEPRECATED 1
24
25 #include <lber.h>
26 #include <ldap.h>
27
28
29 /* Annoyingly, the different LDAP libraries handle errors in different ways,
30 and some other things too. There doesn't seem to be an automatic way of
31 distinguishing between them. Local/Makefile should contain a setting of
32 LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the
33 different kinds. Those that matter are:
34
35 LDAP_LIB_NETSCAPE
36 LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7
37 LDAP_LIB_OPENLDAP2
38
39 These others may be defined, but are in fact the default, so are not tested:
40
41 LDAP_LIB_UMICHIGAN
42 LDAP_LIB_OPENLDAP1
43 */
44
45 #if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS)
46 #define LDAP_LIB_SOLARIS
47 #endif
48
49
50 /* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */
51
52 #ifndef LDAP_NO_LIMIT
53 #define LDAP_NO_LIMIT 0
54 #endif
55
56
57 /* Just in case LDAP_DEREF_NEVER is not defined */
58
59 #ifndef LDAP_DEREF_NEVER
60 #define LDAP_DEREF_NEVER 0
61 #endif
62
63
64 /* Four types of LDAP search are implemented */
65
66 #define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */
67 #define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */
68 #define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */
69 #define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */
70
71 /* In all 4 cases, the DN is left in $ldap_dn (which post-dates the
72 SEARCH_LDAP_DN lookup). */
73
74
75 /* Structure and anchor for caching connections. */
76
77 typedef struct ldap_connection {
78 struct ldap_connection *next;
79 uschar *host;
80 uschar *user;
81 uschar *password;
82 BOOL bound;
83 int port;
84 BOOL is_start_tls_called;
85 LDAP *ld;
86 } LDAP_CONNECTION;
87
88 static LDAP_CONNECTION *ldap_connections = NULL;
89
90
91
92 /*************************************************
93 * Internal search function *
94 *************************************************/
95
96 /* This is the function that actually does the work. It is called (indirectly
97 via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(),
98 and eldapm_find(), with a difference in the "search_type" argument.
99
100 The case of eldapauth_find() is special in that all it does is do
101 authentication, returning OK or FAIL as appropriate. This isn't used as a
102 lookup. Instead, it is called from expand.c as an expansion condition test.
103
104 The DN from a successful lookup is placed in $ldap_dn. This feature postdates
105 the provision of the SEARCH_LDAP_DN facility for returning just the DN as the
106 data.
107
108 Arguments:
109 ldap_url the URL to be looked up
110 server server host name, when URL contains none
111 s_port server port, used when URL contains no name
112 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
113 SEARCH_LDAP_SINGLE allows values from one entry only
114 SEARCH_LDAP_DN gets the DN from one entry
115 res set to point at the result (not used for ldapauth)
116 errmsg set to point a message if result is not OK
117 defer_break set TRUE if no more servers to be tried after a DEFER
118 user user name for authentication, or NULL
119 password password for authentication, or NULL
120 sizelimit max number of entries returned, or 0 for no limit
121 timelimit max time to wait, or 0 for no limit
122 tcplimit max time for network activity, e.g. connect, or 0 for OS default
123 deference the dereference option, which is one of
124 LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
125 referrals the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF
126
127 Returns: OK or FAIL or DEFER
128 FAIL is given only if a lookup was performed successfully, but
129 returned no data.
130 */
131
132 static int
133 perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port,
134 int search_type, uschar **res, uschar **errmsg, BOOL *defer_break,
135 uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit,
136 int dereference, void *referrals)
137 {
138 LDAPURLDesc *ludp = NULL;
139 LDAPMessage *result = NULL;
140 BerElement *ber;
141 LDAP_CONNECTION *lcp;
142
143 struct timeval timeout;
144 struct timeval *timeoutptr = NULL;
145
146 uschar *attr;
147 uschar **attrp;
148 gstring * data = NULL;
149 uschar *dn = NULL;
150 uschar *host;
151 uschar **values;
152 uschar **firstval;
153 uschar porttext[16];
154
155 uschar *error1 = NULL; /* string representation of errcode (static) */
156 uschar *error2 = NULL; /* error message from the server */
157 uschar *matched = NULL; /* partially matched DN */
158
159 int attrs_requested = 0;
160 int error_yield = DEFER;
161 int msgid;
162 int rc, ldap_rc, ldap_parse_rc;
163 int port;
164 int rescount = 0;
165 BOOL attribute_found = FALSE;
166 BOOL ldapi = FALSE;
167
168 DEBUG(D_lookup)
169 debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d "
170 "sizelimit=%d timelimit=%d tcplimit=%d\n",
171 (search_type == SEARCH_LDAP_MULTIPLE)? "m" :
172 (search_type == SEARCH_LDAP_DN)? "dn" :
173 (search_type == SEARCH_LDAP_AUTH)? "auth" : "",
174 ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
175
176 /* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
177 library that is in use doesn't recognize, say, "ldapi", it will barf here. */
178
179 if (!ldap_is_ldap_url(CS ldap_url))
180 {
181 *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
182 ldap_url);
183 goto RETURN_ERROR_BREAK;
184 }
185
186 /* Parse the URL */
187
188 if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
189 {
190 *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
191 ldap_url);
192 goto RETURN_ERROR_BREAK;
193 }
194
195 /* If the host name is empty, take it from the separate argument, if one is
196 given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
197 expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
198 2.0.11 this has changed (it uses NULL). */
199
200 if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL)
201 {
202 host = server;
203 port = s_port;
204 }
205 else
206 {
207 host = US ludp->lud_host;
208 if (host != NULL && host[0] == 0) host = NULL;
209 port = ludp->lud_port;
210 }
211
212 DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n",
213 host, port);
214
215 if (port == 0) port = LDAP_PORT; /* Default if none given */
216 sprintf(CS porttext, ":%d", port); /* For messages */
217
218 /* If the "host name" is actually a path, we are going to connect using a Unix
219 socket, regardless of whether "ldapi" was actually specified or not. This means
220 that a Unix socket can be declared in eldap_default_servers, and "traditional"
221 LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
222 The path may start with "/" or it may already be escaped as "%2F" if it was
223 actually declared that way in eldap_default_servers. (I did it that way the
224 first time.) If the host name is not a path, the use of "ldapi" causes an
225 error, except in the default case. (But lud_scheme doesn't seem to exist in
226 older libraries.) */
227
228 if (host != NULL)
229 {
230 if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
231 {
232 ldapi = TRUE;
233 porttext[0] = 0; /* Remove port from messages */
234 }
235
236 #if defined LDAP_LIB_OPENLDAP2
237 else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
238 {
239 *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
240 host);
241 goto RETURN_ERROR;
242 }
243 #endif
244 }
245
246 /* Count the attributes; we need this later to tell us how to format results */
247
248 for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
249 attrs_requested++;
250
251 /* See if we can find a cached connection to this host. The port is not
252 relevant for ldapi. The host name pointer is set to NULL if no host was given
253 (implying the library default), rather than to the empty string. Note that in
254 this case, there is no difference between ldap and ldapi. */
255
256 for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next)
257 {
258 if ((host == NULL) != (lcp->host == NULL) ||
259 (host != NULL && strcmpic(lcp->host, host) != 0))
260 continue;
261 if (ldapi || port == lcp->port) break;
262 }
263
264 /* Use this network timeout in any requests. */
265
266 if (tcplimit > 0)
267 {
268 timeout.tv_sec = tcplimit;
269 timeout.tv_usec = 0;
270 timeoutptr = &timeout;
271 }
272
273 /* If no cached connection found, we must open a connection to the server. If
274 the server name is actually an absolute path, we set ldapi=TRUE above. This
275 requests connection via a Unix socket. However, as far as I know, only OpenLDAP
276 supports the use of sockets, and the use of ldap_initialize(). */
277
278 if (lcp == NULL)
279 {
280 LDAP *ld;
281
282 #ifdef LDAP_OPT_X_TLS_NEWCTX
283 int am_server = 0;
284 LDAP *ldsetctx;
285 #else
286 LDAP *ldsetctx = NULL;
287 #endif
288
289
290 /* --------------------------- OpenLDAP ------------------------ */
291
292 /* There seems to be a preference under OpenLDAP for ldap_initialize()
293 instead of ldap_init(), though I have as yet been unable to find
294 documentation that says this. (OpenLDAP documentation is sparse to
295 non-existent). So we handle OpenLDAP differently here. Also, support for
296 ldapi seems to be OpenLDAP-only at present. */
297
298 #ifdef LDAP_LIB_OPENLDAP2
299
300 /* We now need an empty string for the default host. Get some store in which
301 to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
302 than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
303 than the host name + "ldaps:///" plus : and a port number, say 20 + the
304 length of the host name. What we get should accommodate both, easily. */
305
306 uschar *shost = (host == NULL)? US"" : host;
307 uschar *init_url = store_get(20 + 3 * Ustrlen(shost));
308 uschar *init_ptr;
309
310 /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
311 contain the path name, with slashes escaped as %2F. */
312
313 if (ldapi)
314 {
315 int ch;
316 init_ptr = init_url + 8;
317 Ustrcpy(init_url, "ldapi://");
318 while ((ch = *shost++) != 0)
319 {
320 if (ch == '/')
321 {
322 Ustrncpy(init_ptr, "%2F", 3);
323 init_ptr += 3;
324 }
325 else *init_ptr++ = ch;
326 }
327 *init_ptr = 0;
328 }
329
330 /* This is not an ldapi call. Just build a URI with the protocol type, host
331 name, and port. */
332
333 else
334 {
335 init_ptr = Ustrchr(ldap_url, '/');
336 Ustrncpy(init_url, ldap_url, init_ptr - ldap_url);
337 init_ptr = init_url + (init_ptr - ldap_url);
338 sprintf(CS init_ptr, "//%s:%d/", shost, port);
339 }
340
341 /* Call ldap_initialize() and check the result */
342
343 DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url);
344 rc = ldap_initialize(&ld, CS init_url);
345 if (rc != LDAP_SUCCESS)
346 {
347 *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
348 rc, init_url);
349 goto RETURN_ERROR;
350 }
351 store_reset(init_url); /* Might as well save memory when we can */
352
353
354 /* ------------------------- Not OpenLDAP ---------------------- */
355
356 /* For libraries other than OpenLDAP, use ldap_init(). */
357
358 #else /* LDAP_LIB_OPENLDAP2 */
359 ld = ldap_init(CS host, port);
360 #endif /* LDAP_LIB_OPENLDAP2 */
361
362 /* -------------------------------------------------------------- */
363
364
365 /* Handle failure to initialize */
366
367 if (ld == NULL)
368 {
369 *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
370 host, porttext, strerror(errno));
371 goto RETURN_ERROR;
372 }
373
374 #ifdef LDAP_OPT_X_TLS_NEWCTX
375 ldsetctx = ld;
376 #endif
377
378 /* Set the TCP connect time limit if available. This is something that is
379 in Netscape SDK v4.1; I don't know about other libraries. */
380
381 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT
382 if (tcplimit > 0)
383 {
384 int timeout1000 = tcplimit*1000;
385 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
386 }
387 else
388 {
389 int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
390 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&notimeout);
391 }
392 #endif
393
394 /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
395
396 #ifdef LDAP_OPT_NETWORK_TIMEOUT
397 if (tcplimit > 0)
398 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
399 #endif
400
401 /* I could not get TLS to work until I set the version to 3. That version
402 seems to be the default nowadays. The RFC is dated 1997, so I would hope
403 that all the LDAP libraries support it. Therefore, if eldap_version hasn't
404 been set, go for v3 if we can. */
405
406 if (eldap_version < 0)
407 {
408 #ifdef LDAP_VERSION3
409 eldap_version = LDAP_VERSION3;
410 #else
411 eldap_version = 2;
412 #endif
413 }
414
415 #ifdef LDAP_OPT_PROTOCOL_VERSION
416 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
417 #endif
418
419 DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
420 eldap_version, host, porttext);
421
422 /* If not using ldapi and TLS is available, set appropriate TLS options: hard
423 for "ldaps" and soft otherwise. */
424
425 #ifdef LDAP_OPT_X_TLS
426 if (!ldapi)
427 {
428 int tls_option;
429 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
430 if (eldap_require_cert != NULL)
431 {
432 tls_option = LDAP_OPT_X_TLS_NEVER;
433 if (Ustrcmp(eldap_require_cert, "hard") == 0)
434 {
435 tls_option = LDAP_OPT_X_TLS_HARD;
436 }
437 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
438 {
439 tls_option = LDAP_OPT_X_TLS_DEMAND;
440 }
441 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
442 {
443 tls_option = LDAP_OPT_X_TLS_ALLOW;
444 }
445 else if (Ustrcmp(eldap_require_cert, "try") == 0)
446 {
447 tls_option = LDAP_OPT_X_TLS_TRY;
448 }
449 DEBUG(D_lookup)
450 debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
451 tls_option);
452 }
453 else
454 #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
455 if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
456 {
457 tls_option = LDAP_OPT_X_TLS_HARD;
458 DEBUG(D_lookup)
459 debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
460 }
461 else
462 {
463 tls_option = LDAP_OPT_X_TLS_TRY;
464 DEBUG(D_lookup)
465 debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
466 }
467 ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
468 }
469 #endif /* LDAP_OPT_X_TLS */
470
471 #ifdef LDAP_OPT_X_TLS_CACERTFILE
472 if (eldap_ca_cert_file != NULL)
473 {
474 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
475 }
476 #endif
477 #ifdef LDAP_OPT_X_TLS_CACERTDIR
478 if (eldap_ca_cert_dir != NULL)
479 {
480 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
481 }
482 #endif
483 #ifdef LDAP_OPT_X_TLS_CERTFILE
484 if (eldap_cert_file != NULL)
485 {
486 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
487 }
488 #endif
489 #ifdef LDAP_OPT_X_TLS_KEYFILE
490 if (eldap_cert_key != NULL)
491 {
492 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
493 }
494 #endif
495 #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
496 if (eldap_cipher_suite != NULL)
497 {
498 ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
499 }
500 #endif
501 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
502 if (eldap_require_cert != NULL)
503 {
504 int cert_option = LDAP_OPT_X_TLS_NEVER;
505 if (Ustrcmp(eldap_require_cert, "hard") == 0)
506 {
507 cert_option = LDAP_OPT_X_TLS_HARD;
508 }
509 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
510 {
511 cert_option = LDAP_OPT_X_TLS_DEMAND;
512 }
513 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
514 {
515 cert_option = LDAP_OPT_X_TLS_ALLOW;
516 }
517 else if (Ustrcmp(eldap_require_cert, "try") == 0)
518 {
519 cert_option = LDAP_OPT_X_TLS_TRY;
520 }
521 /* This ldap handle is set at compile time based on client libs. Older
522 * versions want it to be global and newer versions can force a reload
523 * of the TLS context (to reload these settings we are changing from the
524 * default that loaded at instantiation). */
525 rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
526 if (rc)
527 {
528 DEBUG(D_lookup)
529 debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
530 cert_option, ldap_err2string(rc));
531 }
532 }
533 #endif
534 #ifdef LDAP_OPT_X_TLS_NEWCTX
535 rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
536 if (rc)
537 {
538 DEBUG(D_lookup)
539 debug_printf("Unable to reload TLS context %d: %s\n",
540 rc, ldap_err2string(rc));
541 }
542 #endif
543
544 /* Now add this connection to the chain of cached connections */
545
546 lcp = store_get(sizeof(LDAP_CONNECTION));
547 lcp->host = (host == NULL)? NULL : string_copy(host);
548 lcp->bound = FALSE;
549 lcp->user = NULL;
550 lcp->password = NULL;
551 lcp->port = port;
552 lcp->ld = ld;
553 lcp->next = ldap_connections;
554 lcp->is_start_tls_called = FALSE;
555 ldap_connections = lcp;
556 }
557
558 /* Found cached connection */
559
560 else
561 {
562 DEBUG(D_lookup)
563 debug_printf("re-using cached connection to LDAP server %s%s\n",
564 host, porttext);
565 }
566
567 /* Bind with the user/password supplied, or an anonymous bind if these values
568 are NULL, unless a cached connection is already bound with the same values. */
569
570 if (!lcp->bound ||
571 (lcp->user == NULL && user != NULL) ||
572 (lcp->user != NULL && user == NULL) ||
573 (lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) ||
574 (lcp->password == NULL && password != NULL) ||
575 (lcp->password != NULL && password == NULL) ||
576 (lcp->password != NULL && password != NULL &&
577 Ustrcmp(lcp->password, password) != 0))
578 {
579 DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
580 (lcp->bound)? "re-" : "", user, password);
581 if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
582 {
583 #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
584 /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
585 * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
586 * export an ldap_start_tls_s symbol.
587 */
588 if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
589 {
590 *errmsg = string_sprintf("failed to initiate TLS processing on an "
591 "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
592 " %s", host, porttext, rc, ldap_err2string(rc));
593 goto RETURN_ERROR;
594 }
595 lcp->is_start_tls_called = TRUE;
596 #else
597 DEBUG(D_lookup)
598 debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
599 #endif
600 }
601 if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
602 == -1)
603 {
604 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
605 "%s%s - ldap_bind() returned -1", host, porttext);
606 goto RETURN_ERROR;
607 }
608
609 if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
610 {
611 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
612 "%s%s - LDAP error: %s", host, porttext,
613 rc == -1 ? "result retrieval failed" : "timeout" );
614 result = NULL;
615 goto RETURN_ERROR;
616 }
617
618 rc = ldap_result2error( lcp->ld, result, 0 );
619
620 /* Invalid credentials when just checking credentials returns FAIL. This
621 stops any further servers being tried. */
622
623 if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
624 {
625 DEBUG(D_lookup)
626 debug_printf("Invalid credentials: ldapauth returns FAIL\n");
627 error_yield = FAIL;
628 goto RETURN_ERROR_NOMSG;
629 }
630
631 /* Otherwise we have a problem that doesn't stop further servers from being
632 tried. */
633
634 if (rc != LDAP_SUCCESS)
635 {
636 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
637 "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
638 goto RETURN_ERROR;
639 }
640
641 /* Successful bind */
642
643 lcp->bound = TRUE;
644 lcp->user = (user == NULL)? NULL : string_copy(user);
645 lcp->password = (password == NULL)? NULL : string_copy(password);
646
647 ldap_msgfree(result);
648 result = NULL;
649 }
650
651 /* If we are just checking credentials, return OK. */
652
653 if (search_type == SEARCH_LDAP_AUTH)
654 {
655 DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n");
656 goto RETURN_OK;
657 }
658
659 /* Before doing the search, set the time and size limits (if given). Here again
660 the different implementations of LDAP have chosen to do things differently. */
661
662 #if defined(LDAP_OPT_SIZELIMIT)
663 ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
664 ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
665 #else
666 lcp->ld->ld_sizelimit = sizelimit;
667 lcp->ld->ld_timelimit = timelimit;
668 #endif
669
670 /* Similarly for dereferencing aliases. Don't know if this is possible on
671 an LDAP library without LDAP_OPT_DEREF. */
672
673 #if defined(LDAP_OPT_DEREF)
674 ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
675 #endif
676
677 /* Similarly for the referral setting; should the library follow referrals that
678 the LDAP server returns? The conditional is just in case someone uses a library
679 without it. */
680
681 #if defined(LDAP_OPT_REFERRALS)
682 ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
683 #endif
684
685 /* Start the search on the server. */
686
687 DEBUG(D_lookup) debug_printf("Start search\n");
688
689 msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
690 ludp->lud_attrs, 0);
691
692 if (msgid == -1)
693 {
694 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
695 int err;
696 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
697 *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
698 ldap_err2string(err));
699
700 #else
701 *errmsg = string_sprintf("ldap_search failed");
702 #endif
703
704 goto RETURN_ERROR;
705 }
706
707 /* Loop to pick up results as they come in, setting a timeout if one was
708 given. */
709
710 while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
711 LDAP_RES_SEARCH_ENTRY)
712 {
713 LDAPMessage *e;
714 int valuecount; /* We can see an attr spread across several
715 entries. If B is derived from A and we request
716 A and the directory contains both, A and B,
717 then we get two entries, one for A and one for B.
718 Here we just count the values per entry */
719
720 DEBUG(D_lookup) debug_printf("LDAP result loop\n");
721
722 for(e = ldap_first_entry(lcp->ld, result), valuecount = 0;
723 e;
724 e = ldap_next_entry(lcp->ld, e))
725 {
726 uschar *new_dn;
727 BOOL insert_space = FALSE;
728
729 DEBUG(D_lookup) debug_printf("LDAP entry loop\n");
730
731 rescount++; /* Count results */
732
733 /* Results for multiple entries values are separated by newlines. */
734
735 if (data) data = string_catn(data, US"\n", 1);
736
737 /* Get the DN from the last result. */
738
739 new_dn = US ldap_get_dn(lcp->ld, e);
740 if (new_dn != NULL)
741 {
742 if (dn != NULL)
743 {
744 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
745 ldap_memfree(dn);
746 #else /* OPENLDAP 1, UMich, Solaris */
747 free(dn);
748 #endif
749 }
750 /* Save for later */
751 dn = new_dn;
752 }
753
754 /* If the data we want is actually the DN rather than any attribute values,
755 (an "ldapdn" search) add it to the data string. If there are multiple
756 entries, the DNs will be concatenated, but we test for this case below, as
757 for SEARCH_LDAP_SINGLE, and give an error. */
758
759 if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */
760 { /* condition, because of the else */
761 if (new_dn != NULL) /* below, that's for the first only */
762 {
763 data = string_cat(data, new_dn);
764 (void) string_from_gstring(data);
765 attribute_found = TRUE;
766 }
767 }
768
769 /* Otherwise, loop through the entry, grabbing attribute values. If there's
770 only one attribute being retrieved, no attribute name is given, and the
771 result is not quoted. Multiple values are separated by (comma).
772 If more than one attribute is being retrieved, the data is given as a
773 sequence of name=value pairs, separated by (space), with the value always in quotes.
774 If there are multiple values, they are given within the quotes, comma separated. */
775
776 else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
777 attr; attr = US ldap_next_attribute(lcp->ld, e, ber))
778 {
779 DEBUG(D_lookup) debug_printf("LDAP attr loop\n");
780
781 /* In case of attrs_requested == 1 we just count the values, in all other cases
782 (0, >1) we count the values per attribute */
783 if (attrs_requested != 1) valuecount = 0;
784
785 if (attr[0] != 0)
786 {
787 /* Get array of values for this attribute. */
788
789 if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr)))
790 {
791
792 if (attrs_requested != 1)
793 {
794 if (insert_space)
795 data = string_catn(data, US" ", 1);
796 else
797 insert_space = TRUE;
798 data = string_cat(data, attr);
799 data = string_catn(data, US"=\"", 2);
800 }
801
802 while (*values)
803 {
804 uschar *value = *values;
805 int len = Ustrlen(value);
806 ++valuecount;
807
808 DEBUG(D_lookup) debug_printf("LDAP value loop %s:%s\n", attr, value);
809
810 /* In case we requested one attribute only but got several times
811 into that attr loop, we need to append the additional values.
812 (This may happen if you derive attributeTypes B and C from A and
813 then query for A.) In all other cases we detect the different
814 attribute and append only every non first value. */
815
816 if (data && valuecount > 1)
817 data = string_catn(data, US",", 1);
818
819 /* For multiple attributes, the data is in quotes. We must escape
820 internal quotes, backslashes, newlines, and must double commas. */
821
822 if (attrs_requested != 1)
823 {
824 int j;
825 for (j = 0; j < len; j++)
826 {
827 if (value[j] == '\n')
828 data = string_catn(data, US"\\n", 2);
829 else if (value[j] == ',')
830 data = string_catn(data, US",,", 2);
831 else
832 {
833 if (value[j] == '\"' || value[j] == '\\')
834 data = string_catn(data, US"\\", 1);
835 data = string_catn(data, value+j, 1);
836 }
837 }
838 }
839
840 /* For single attributes, just double commas */
841
842 else
843 {
844 int j;
845 for (j = 0; j < len; j++)
846 if (value[j] == ',')
847 data = string_catn(data, US",,", 2);
848 else
849 data = string_catn(data, value+j, 1);
850 }
851
852
853 /* Move on to the next value */
854
855 values++;
856 attribute_found = TRUE;
857 }
858
859 /* Closing quote at the end of the data for a named attribute. */
860
861 if (attrs_requested != 1)
862 data = string_catn(data, US"\"", 1);
863
864 /* Free the values */
865
866 ldap_value_free(CSS firstval);
867 }
868 }
869
870 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
871
872 /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
873 to be freed. UMich LDAP stores them in static storage and does not require
874 this. */
875
876 ldap_memfree(attr);
877 #endif
878 } /* End "for" loop for extracting attributes from an entry */
879 } /* End "for" loop for extracting entries from a result */
880
881 /* Free the result */
882
883 ldap_msgfree(result);
884 result = NULL;
885 } /* End "while" loop for multiple results */
886
887 /* Terminate the dynamic string that we have built and reclaim unused store */
888
889 if (data)
890 {
891 (void) string_from_gstring(data);
892 gstring_reset_unused(data);
893 }
894
895 /* Copy the last dn into eldap_dn */
896
897 if (dn)
898 {
899 eldap_dn = string_copy(dn);
900 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
901 ldap_memfree(dn);
902 #else /* OPENLDAP 1, UMich, Solaris */
903 free(dn);
904 #endif
905 }
906
907 DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc);
908
909 if (rc == 0)
910 {
911 *errmsg = US"ldap_result timed out";
912 goto RETURN_ERROR;
913 }
914
915 /* A return code of -1 seems to mean "ldap_result failed internally or couldn't
916 provide you with a message". Other error states seem to exist where
917 ldap_result() didn't give us any message from the server at all, leaving result
918 set to NULL. Apparently, "the error parameters of the LDAP session handle will
919 be set accordingly". That's the best we can do to retrieve an error status; we
920 can't use functions like ldap_result2error because they parse a message from
921 the server, which we didn't get.
922
923 Annoyingly, the different implementations of LDAP have gone for different
924 methods of handling error codes and generating error messages. */
925
926 if (rc == -1 || result == NULL)
927 {
928 int err;
929 DEBUG(D_lookup) debug_printf("ldap_result failed\n");
930
931 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
932 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
933 *errmsg = string_sprintf("ldap_result failed: %d, %s",
934 err, ldap_err2string(err));
935
936 #elif defined LDAP_LIB_NETSCAPE
937 /* Dubious (surely 'matched' is spurious here?) */
938 (void)ldap_get_lderrno(lcp->ld, &matched, &error1);
939 *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
940
941 #else /* UMich LDAP aka OpenLDAP 1.x */
942 *errmsg = string_sprintf("ldap_result failed: %d, %s",
943 lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
944 #endif
945
946 goto RETURN_ERROR;
947 }
948
949 /* A return code that isn't -1 doesn't necessarily mean there were no problems
950 with the search. The message must be an LDAP_RES_SEARCH_RESULT or
951 LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
952 of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
953 we don't provide that functionality when we can't. :-) */
954
955 if (rc != LDAP_RES_SEARCH_RESULT
956 #ifdef LDAP_RES_SEARCH_REFERENCE
957 && rc != LDAP_RES_SEARCH_REFERENCE
958 #endif
959 )
960 {
961 *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
962 goto RETURN_ERROR;
963 }
964
965 /* We have a result message from the server. This doesn't yet mean all is well.
966 We need to parse the message to find out exactly what's happened. */
967
968 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
969 ldap_rc = rc;
970 ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
971 CSS &error2, NULL, NULL, 0);
972 DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
973 if (ldap_parse_rc < 0 &&
974 (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
975 #ifdef LDAP_RES_SEARCH_REFERENCE
976 || ldap_rc != LDAP_RES_SEARCH_REFERENCE
977 #endif
978 ))
979 {
980 *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
981 goto RETURN_ERROR;
982 }
983 error1 = US ldap_err2string(rc);
984
985 #elif defined LDAP_LIB_NETSCAPE
986 /* Dubious (it doesn't reference 'result' at all!) */
987 rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
988
989 #else /* UMich LDAP aka OpenLDAP 1.x */
990 rc = ldap_result2error(lcp->ld, result, 0);
991 error1 = ldap_err2string(rc);
992 error2 = lcp->ld->ld_error;
993 matched = lcp->ld->ld_matched;
994 #endif
995
996 /* Process the status as follows:
997
998 (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
999 truncated result list.
1000
1001 (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
1002 submitted patch that is reported to "do the right thing" with Solaris
1003 LDAP libraries. (The problem it addresses apparently does not occur with
1004 Open LDAP.)
1005
1006 (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
1007 object does not, or cannot, exist in the database". For those cases we
1008 fail the lookup.
1009
1010 (4) All other non-successes here are treated as some kind of problem with
1011 the lookup, so return DEFER (which is the default in error_yield).
1012 */
1013
1014 DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
1015 rc, ldap_err2string(rc));
1016
1017 if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
1018 #ifdef LDAP_RES_SEARCH_REFERENCE
1019 && rc != LDAP_RES_SEARCH_REFERENCE
1020 #endif
1021 )
1022 {
1023 *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
1024 rc,
1025 (error1 != NULL)? error1 : US"",
1026 (error2 != NULL && error2[0] != 0)? US"/" : US"",
1027 (error2 != NULL)? error2 : US"",
1028 (matched != NULL && matched[0] != 0)? US"/" : US"",
1029 (matched != NULL)? matched : US"");
1030
1031 #if defined LDAP_NAME_ERROR
1032 if (LDAP_NAME_ERROR(rc))
1033 #elif defined NAME_ERROR /* OPENLDAP1 calls it this */
1034 if (NAME_ERROR(rc))
1035 #else
1036 if (rc == LDAP_NO_SUCH_OBJECT)
1037 #endif
1038
1039 {
1040 DEBUG(D_lookup) debug_printf("lookup failure forced\n");
1041 error_yield = FAIL;
1042 }
1043 goto RETURN_ERROR;
1044 }
1045
1046 /* The search succeeded. Check if we have too many results */
1047
1048 if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
1049 {
1050 *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
1051 "(filter not specific enough?)", rescount);
1052 goto RETURN_ERROR_BREAK;
1053 }
1054
1055 /* Check if we have too few (zero) entries */
1056
1057 if (rescount < 1)
1058 {
1059 *errmsg = string_sprintf("LDAP search: no results");
1060 error_yield = FAIL;
1061 goto RETURN_ERROR_BREAK;
1062 }
1063
1064 /* If an entry was found, but it had no attributes, we behave as if no entries
1065 were found, that is, the lookup failed. */
1066
1067 if (!attribute_found)
1068 {
1069 *errmsg = US"LDAP search: found no attributes";
1070 error_yield = FAIL;
1071 goto RETURN_ERROR;
1072 }
1073
1074 /* Otherwise, it's all worked */
1075
1076 DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
1077 *res = data->s;
1078
1079 RETURN_OK:
1080 if (result != NULL) ldap_msgfree(result);
1081 ldap_free_urldesc(ludp);
1082 return OK;
1083
1084 /* Error returns */
1085
1086 RETURN_ERROR_BREAK:
1087 *defer_break = TRUE;
1088
1089 RETURN_ERROR:
1090 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1091
1092 RETURN_ERROR_NOMSG:
1093 if (result != NULL) ldap_msgfree(result);
1094 if (ludp != NULL) ldap_free_urldesc(ludp);
1095
1096 #if defined LDAP_LIB_OPENLDAP2
1097 if (error2 != NULL) ldap_memfree(error2);
1098 if (matched != NULL) ldap_memfree(matched);
1099 #endif
1100
1101 return error_yield;
1102 }
1103
1104
1105
1106 /*************************************************
1107 * Internal search control function *
1108 *************************************************/
1109
1110 /* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(),
1111 and eldapm_find() with a difference in the "search_type" argument. It controls
1112 calls to perform_ldap_search() which actually does the work. We call that
1113 repeatedly for certain types of defer in the case when the URL contains no host
1114 name and eldap_default_servers is set to a list of servers to try. This gives
1115 more control than just passing over a list of hosts to ldap_open() because it
1116 handles other kinds of defer as well as just a failure to open. Note that the
1117 URL is defined to contain either zero or one "hostport" only.
1118
1119 Parameter data in addition to the URL can be passed as preceding text in the
1120 string, as items of the form XXX=yyy. The URL itself can be detected because it
1121 must begin "ldapx://", where x is empty, s, or i.
1122
1123 Arguments:
1124 ldap_url the URL to be looked up, optionally preceded by other parameter
1125 settings
1126 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
1127 SEARCH_LDAP_SINGLE allows values from one entry only
1128 SEARCH_LDAP_DN gets the DN from one entry
1129 res set to point at the result
1130 errmsg set to point a message if result is not OK
1131
1132 Returns: OK or FAIL or DEFER
1133 */
1134
1135 static int
1136 control_ldap_search(const uschar *ldap_url, int search_type, uschar **res,
1137 uschar **errmsg)
1138 {
1139 BOOL defer_break = FALSE;
1140 int timelimit = LDAP_NO_LIMIT;
1141 int sizelimit = LDAP_NO_LIMIT;
1142 int tcplimit = 0;
1143 int sep = 0;
1144 int dereference = LDAP_DEREF_NEVER;
1145 void* referrals = LDAP_OPT_ON;
1146 const uschar *url = ldap_url;
1147 const uschar *p;
1148 uschar *user = NULL;
1149 uschar *password = NULL;
1150 uschar *local_servers = NULL;
1151 uschar *server;
1152 const uschar *list;
1153 uschar buffer[512];
1154
1155 while (isspace(*url)) url++;
1156
1157 /* Until the string begins "ldap", search for the other parameter settings that
1158 are recognized. They are of the form NAME=VALUE, with the value being
1159 optionally double-quoted. There must still be a space after it, however. No
1160 NAME has the value "ldap". */
1161
1162 while (strncmpic(url, US"ldap", 4) != 0)
1163 {
1164 const uschar *name = url;
1165 while (*url != 0 && *url != '=') url++;
1166 if (*url == '=')
1167 {
1168 int namelen;
1169 uschar *value;
1170 namelen = ++url - name;
1171 value = string_dequote(&url);
1172 if (isspace(*url))
1173 {
1174 if (strncmpic(name, US"USER=", namelen) == 0) user = value;
1175 else if (strncmpic(name, US"PASS=", namelen) == 0) password = value;
1176 else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value);
1177 else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
1178 else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
1179 else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
1180 else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;
1181
1182 /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
1183
1184 #ifdef LDAP_OPT_DEREF
1185 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1186 {
1187 if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER;
1188 else if (strcmpic(value, US"searching") == 0)
1189 dereference = LDAP_DEREF_SEARCHING;
1190 else if (strcmpic(value, US"finding") == 0)
1191 dereference = LDAP_DEREF_FINDING;
1192 if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS;
1193 }
1194 #else
1195 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1196 {
1197 *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP "
1198 "library - cannot use \"dereference\"");
1199 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1200 return DEFER;
1201 }
1202 #endif
1203
1204 #ifdef LDAP_OPT_REFERRALS
1205 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1206 {
1207 if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON;
1208 else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF;
1209 else
1210 {
1211 *errmsg = string_sprintf("LDAP option REFERRALS is not \"follow\" "
1212 "or \"nofollow\"");
1213 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1214 return DEFER;
1215 }
1216 }
1217 #else
1218 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1219 {
1220 *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP "
1221 "library - cannot use \"referrals\"");
1222 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1223 return DEFER;
1224 }
1225 #endif
1226
1227 else
1228 {
1229 *errmsg =
1230 string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL",
1231 namelen, name);
1232 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1233 return DEFER;
1234 }
1235 while (isspace(*url)) url++;
1236 continue;
1237 }
1238 }
1239 *errmsg = US"malformed parameter setting precedes LDAP URL";
1240 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1241 return DEFER;
1242 }
1243
1244 /* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves,
1245 but it seems that not all behave like this. The DN for the user is often the
1246 result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because
1247 that is needed when the DN is used as a base DN in a query. Sigh. This is all
1248 far too complicated. */
1249
1250 if (user != NULL)
1251 {
1252 uschar *s;
1253 uschar *t = user;
1254 for (s = user; *s != 0; s++)
1255 {
1256 int c, d;
1257 if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2]))
1258 {
1259 c = tolower(c);
1260 d = tolower(d);
1261 *t++ =
1262 (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) |
1263 ((d >= 'a')? (10 + d - 'a') : d - '0');
1264 s += 2;
1265 }
1266 else *t++ = *s;
1267 }
1268 *t = 0;
1269 }
1270
1271 DEBUG(D_lookup)
1272 debug_printf("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d "
1273 "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit,
1274 tcplimit, dereference, (referrals == LDAP_OPT_ON)? "on" : "off");
1275
1276 /* If the request is just to check authentication, some credentials must
1277 be given. The password must not be empty because LDAP binds with an empty
1278 password are considered anonymous, and will succeed on most installations. */
1279
1280 if (search_type == SEARCH_LDAP_AUTH)
1281 {
1282 if (user == NULL || password == NULL)
1283 {
1284 *errmsg = US"ldapauth lookups must specify the username and password";
1285 return DEFER;
1286 }
1287 if (password[0] == 0)
1288 {
1289 DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns FAIL\n");
1290 return FAIL;
1291 }
1292 }
1293
1294 /* Check for valid ldap url starters */
1295
1296 p = url + 4;
1297 if (tolower(*p) == 's' || tolower(*p) == 'i') p++;
1298 if (Ustrncmp(p, "://", 3) != 0)
1299 {
1300 *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", "
1301 "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url);
1302 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1303 return DEFER;
1304 }
1305
1306 /* No default servers, or URL contains a server name: just one attempt */
1307
1308 if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/')
1309 {
1310 return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
1311 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1312 referrals);
1313 }
1314
1315 /* Loop through the default servers until OK or FAIL. Use local_servers list
1316 * if defined in the lookup, otherwise use the global default list */
1317 list = (local_servers == NULL) ? eldap_default_servers : local_servers;
1318 while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
1319 {
1320 int rc;
1321 int port = 0;
1322 uschar *colon = Ustrchr(server, ':');
1323 if (colon != NULL)
1324 {
1325 *colon = 0;
1326 port = Uatoi(colon+1);
1327 }
1328 rc = perform_ldap_search(url, server, port, search_type, res, errmsg,
1329 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1330 referrals);
1331 if (rc != DEFER || defer_break) return rc;
1332 }
1333
1334 return DEFER;
1335 }
1336
1337
1338
1339 /*************************************************
1340 * Find entry point *
1341 *************************************************/
1342
1343 /* See local README for interface description. The different kinds of search
1344 are handled by a common function, with a flag to differentiate between them.
1345 The handle and filename arguments are not used. */
1346
1347 static int
1348 eldap_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
1349 uschar **result, uschar **errmsg, uint *do_cache)
1350 {
1351 /* Keep picky compilers happy */
1352 do_cache = do_cache;
1353 return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
1354 }
1355
1356 static int
1357 eldapm_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
1358 uschar **result, uschar **errmsg, uint *do_cache)
1359 {
1360 /* Keep picky compilers happy */
1361 do_cache = do_cache;
1362 return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
1363 }
1364
1365 static int
1366 eldapdn_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
1367 uschar **result, uschar **errmsg, uint *do_cache)
1368 {
1369 /* Keep picky compilers happy */
1370 do_cache = do_cache;
1371 return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
1372 }
1373
1374 int
1375 eldapauth_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
1376 uschar **result, uschar **errmsg, uint *do_cache)
1377 {
1378 /* Keep picky compilers happy */
1379 do_cache = do_cache;
1380 return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg));
1381 }
1382
1383
1384
1385 /*************************************************
1386 * Open entry point *
1387 *************************************************/
1388
1389 /* See local README for interface description. */
1390
1391 static void *
1392 eldap_open(uschar *filename, uschar **errmsg)
1393 {
1394 return (void *)(1); /* Just return something non-null */
1395 }
1396
1397
1398
1399 /*************************************************
1400 * Tidy entry point *
1401 *************************************************/
1402
1403 /* See local README for interface description.
1404 Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
1405
1406 static void
1407 eldap_tidy(void)
1408 {
1409 LDAP_CONNECTION *lcp = NULL;
1410 eldap_dn = NULL;
1411
1412 while ((lcp = ldap_connections) != NULL)
1413 {
1414 DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
1415 lcp->port);
1416 if(lcp->bound == TRUE)
1417 ldap_unbind(lcp->ld);
1418 ldap_connections = lcp->next;
1419 }
1420 }
1421
1422
1423
1424 /*************************************************
1425 * Quote entry point *
1426 *************************************************/
1427
1428 /* LDAP quoting is unbelievably messy. For a start, two different levels of
1429 quoting have to be done: LDAP quoting, and URL quoting. The current
1430 specification is the result of a suggestion by Brian Candler. It recognizes
1431 two separate cases:
1432
1433 (1) For text that appears in a search filter, the following escapes are
1434 required (see RFC 2254):
1435
1436 * -> \2A
1437 ( -> \28
1438 ) -> \29
1439 \ -> \5C
1440 NULL -> \00
1441
1442 Then the entire filter text must be URL-escaped. This kind of quoting is
1443 implemented by ${quote_ldap:....}. Note that we can never have a NULL
1444 in the input string, because that's a terminator.
1445
1446 (2) For a DN that is part of a URL (i.e. the base DN), the characters
1447
1448 , + " \ < > ;
1449
1450 must be quoted by backslashing. See RFC 2253. Leading and trailing spaces
1451 must be escaped, as must a leading #. Then the string must be URL-quoted.
1452 This type of quoting is implemented by ${quote_ldap_dn:....}.
1453
1454 For URL quoting, the only characters that need not be quoted are the
1455 alphamerics and
1456
1457 ! $ ' ( ) * + - . _
1458
1459 All the others must be hexified and preceded by %. This includes the
1460 backslashes used for LDAP quoting.
1461
1462 For a DN that is given in the USER parameter for authentication, we need the
1463 same initial quoting as (2) but in this case, the result must NOT be
1464 URL-escaped, because it isn't a URL. The way this is handled is by
1465 de-URL-quoting the text when processing the USER parameter in
1466 control_ldap_search() above. That means that the same quote operator can be
1467 used. This has the additional advantage that spaces in the DN won't cause
1468 parsing problems. For example:
1469
1470 USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com
1471
1472 should be safe if there are spaces in $1.
1473
1474
1475 Arguments:
1476 s the string to be quoted
1477 opt additional option text or NULL if none
1478 only "dn" is recognized
1479
1480 Returns: the processed string or NULL for a bad option
1481 */
1482
1483
1484
1485 /* The characters in this string, together with alphanumerics, never need
1486 quoting in any way. */
1487
1488 #define ALWAYS_LITERAL "!$'-._"
1489
1490 /* The special characters in this string do not need to be URL-quoted. The set
1491 is a bit larger than the general literals. */
1492
1493 #define URL_NONQUOTE ALWAYS_LITERAL "()*+"
1494
1495 /* The following macros define the characters that are quoted by quote_ldap and
1496 quote_ldap_dn, respectively. */
1497
1498 #define LDAP_QUOTE "*()\\"
1499 #define LDAP_DN_QUOTE ",+\"\\<>;"
1500
1501
1502
1503 static uschar *
1504 eldap_quote(uschar *s, uschar *opt)
1505 {
1506 register int c;
1507 int count = 0;
1508 int len = 0;
1509 BOOL dn = FALSE;
1510 uschar *t = s;
1511 uschar *quoted;
1512
1513 /* Test for a DN quotation. */
1514
1515 if (opt != NULL)
1516 {
1517 if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */
1518 dn = TRUE;
1519 }
1520
1521 /* Compute how much extra store we need for the string. This doesn't have to be
1522 exact as long as it isn't an underestimate. The worst case is the addition of 5
1523 extra bytes for a single character. This occurs for certain characters in DNs,
1524 where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each
1525 possibly escaped character. The really fast way would be just to test for
1526 non-alphanumerics, but it is probably better to spot a few others that are
1527 never escaped, because if there are no specials at all, we can avoid copying
1528 the string. */
1529
1530 while ((c = *t++) != 0)
1531 {
1532 len++;
1533 if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5;
1534 }
1535 if (count == 0) return s;
1536
1537 /* Get sufficient store to hold the quoted string */
1538
1539 t = quoted = store_get(len + count + 1);
1540
1541 /* Handle plain quote_ldap */
1542
1543 if (!dn)
1544 {
1545 while ((c = *s++) != 0)
1546 {
1547 if (!isalnum(c))
1548 {
1549 if (Ustrchr(LDAP_QUOTE, c) != NULL)
1550 {
1551 sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */
1552 t += 5;
1553 continue;
1554 }
1555 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1556 {
1557 sprintf(CS t, "%%%02X", c);
1558 t += 3;
1559 continue;
1560 }
1561 }
1562 *t++ = c; /* unquoted character */
1563 }
1564 }
1565
1566 /* Handle quote_ldap_dn */
1567
1568 else
1569 {
1570 uschar *ss = s + len;
1571
1572 /* Find the last char before any trailing spaces */
1573
1574 while (ss > s && ss[-1] == ' ') ss--;
1575
1576 /* Quote leading spaces and sharps */
1577
1578 for (; s < ss; s++)
1579 {
1580 if (*s != ' ' && *s != '#') break;
1581 sprintf(CS t, "%%5C%%%02X", *s);
1582 t += 6;
1583 }
1584
1585 /* Handle the rest of the string, up to the trailing spaces */
1586
1587 while (s < ss)
1588 {
1589 c = *s++;
1590 if (!isalnum(c))
1591 {
1592 if (Ustrchr(LDAP_DN_QUOTE, c) != NULL)
1593 {
1594 Ustrncpy(t, "%5C", 3); /* insert \ where needed */
1595 t += 3; /* fall through to check URL */
1596 }
1597 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1598 {
1599 sprintf(CS t, "%%%02X", c);
1600 t += 3;
1601 continue;
1602 }
1603 }
1604 *t++ = c; /* unquoted character, or non-URL quoted after %5C */
1605 }
1606
1607 /* Handle the trailing spaces */
1608
1609 while (*ss++ != 0)
1610 {
1611 Ustrncpy(t, "%5C%20", 6);
1612 t += 6;
1613 }
1614 }
1615
1616 /* Terminate the new string and return */
1617
1618 *t = 0;
1619 return quoted;
1620 }
1621
1622
1623
1624 /*************************************************
1625 * Version reporting entry point *
1626 *************************************************/
1627
1628 /* See local README for interface description. */
1629
1630 #include "../version.h"
1631
1632 void
1633 ldap_version_report(FILE *f)
1634 {
1635 #ifdef DYNLOOKUP
1636 fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
1637 #endif
1638 }
1639
1640
1641 static lookup_info ldap_lookup_info = {
1642 US"ldap", /* lookup name */
1643 lookup_querystyle, /* query-style lookup */
1644 eldap_open, /* open function */
1645 NULL, /* check function */
1646 eldap_find, /* find function */
1647 NULL, /* no close function */
1648 eldap_tidy, /* tidy function */
1649 eldap_quote, /* quoting function */
1650 ldap_version_report /* version reporting */
1651 };
1652
1653 static lookup_info ldapdn_lookup_info = {
1654 US"ldapdn", /* lookup name */
1655 lookup_querystyle, /* query-style lookup */
1656 eldap_open, /* sic */ /* open function */
1657 NULL, /* check function */
1658 eldapdn_find, /* find function */
1659 NULL, /* no close function */
1660 eldap_tidy, /* sic */ /* tidy function */
1661 eldap_quote, /* sic */ /* quoting function */
1662 NULL /* no version reporting (redundant) */
1663 };
1664
1665 static lookup_info ldapm_lookup_info = {
1666 US"ldapm", /* lookup name */
1667 lookup_querystyle, /* query-style lookup */
1668 eldap_open, /* sic */ /* open function */
1669 NULL, /* check function */
1670 eldapm_find, /* find function */
1671 NULL, /* no close function */
1672 eldap_tidy, /* sic */ /* tidy function */
1673 eldap_quote, /* sic */ /* quoting function */
1674 NULL /* no version reporting (redundant) */
1675 };
1676
1677 #ifdef DYNLOOKUP
1678 #define ldap_lookup_module_info _lookup_module_info
1679 #endif
1680
1681 static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
1682 lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
1683
1684 /* End of lookups/ldap.c */
Unnamed repository; edit this file 'description' to name the repository.