projects / exim.git / blob
? search:


bb29b43afcae998970e83bd62139b75f8aa5d1c9
[exim.git] / src / src / lookups / ldap.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Many thanks to Stuart Lynne for contributing the original code for this
9 driver. Further contibutions from Michael Haardt, Brian Candler, Barry
10 Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
11 researching how to handle the different kinds of error. */
12
13
14 #include "../exim.h"
15 #include "lf_functions.h"
16
17
18 /* Include LDAP headers. The code below uses some "old" LDAP interfaces that
19 are deprecated in OpenLDAP. I don't know their status in other LDAP
20 implementations. LDAP_DEPRECATED causes their prototypes to be defined in
21 ldap.h. */
22
23 #define LDAP_DEPRECATED 1
24
25 #include <lber.h>
26 #include <ldap.h>
27
28
29 /* Annoyingly, the different LDAP libraries handle errors in different ways,
30 and some other things too. There doesn't seem to be an automatic way of
31 distinguishing between them. Local/Makefile should contain a setting of
32 LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the
33 different kinds. Those that matter are:
34
35 LDAP_LIB_NETSCAPE
36 LDAP_LIB_SOLARIS with synonym LDAP_LIB_SOLARIS7
37 LDAP_LIB_OPENLDAP2
38
39 These others may be defined, but are in fact the default, so are not tested:
40
41 LDAP_LIB_UMICHIGAN
42 LDAP_LIB_OPENLDAP1
43 */
44
45 #if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS)
46 #define LDAP_LIB_SOLARIS
47 #endif
48
49
50 /* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */
51
52 #ifndef LDAP_NO_LIMIT
53 #define LDAP_NO_LIMIT 0
54 #endif
55
56
57 /* Just in case LDAP_DEREF_NEVER is not defined */
58
59 #ifndef LDAP_DEREF_NEVER
60 #define LDAP_DEREF_NEVER 0
61 #endif
62
63
64 /* Four types of LDAP search are implemented */
65
66 #define SEARCH_LDAP_MULTIPLE 0 /* Get attributes from multiple entries */
67 #define SEARCH_LDAP_SINGLE 1 /* Get attributes from one entry only */
68 #define SEARCH_LDAP_DN 2 /* Get just the DN from one entry */
69 #define SEARCH_LDAP_AUTH 3 /* Just checking for authentication */
70
71 /* In all 4 cases, the DN is left in $ldap_dn (which post-dates the
72 SEARCH_LDAP_DN lookup). */
73
74
75 /* Structure and anchor for caching connections. */
76
77 typedef struct ldap_connection {
78 struct ldap_connection *next;
79 uschar *host;
80 uschar *user;
81 uschar *password;
82 BOOL bound;
83 int port;
84 BOOL is_start_tls_called;
85 LDAP *ld;
86 } LDAP_CONNECTION;
87
88 static LDAP_CONNECTION *ldap_connections = NULL;
89
90
91
92 /*************************************************
93 * Internal search function *
94 *************************************************/
95
96 /* This is the function that actually does the work. It is called (indirectly
97 via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(),
98 and eldapm_find(), with a difference in the "search_type" argument.
99
100 The case of eldapauth_find() is special in that all it does is do
101 authentication, returning OK or FAIL as appropriate. This isn't used as a
102 lookup. Instead, it is called from expand.c as an expansion condition test.
103
104 The DN from a successful lookup is placed in $ldap_dn. This feature postdates
105 the provision of the SEARCH_LDAP_DN facility for returning just the DN as the
106 data.
107
108 Arguments:
109 ldap_url the URL to be looked up
110 server server host name, when URL contains none
111 s_port server port, used when URL contains no name
112 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
113 SEARCH_LDAP_SINGLE allows values from one entry only
114 SEARCH_LDAP_DN gets the DN from one entry
115 res set to point at the result (not used for ldapauth)
116 errmsg set to point a message if result is not OK
117 defer_break set TRUE if no more servers to be tried after a DEFER
118 user user name for authentication, or NULL
119 password password for authentication, or NULL
120 sizelimit max number of entries returned, or 0 for no limit
121 timelimit max time to wait, or 0 for no limit
122 tcplimit max time for network activity, e.g. connect, or 0 for OS default
123 deference the dereference option, which is one of
124 LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
125 referrals the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF
126
127 Returns: OK or FAIL or DEFER
128 FAIL is given only if a lookup was performed successfully, but
129 returned no data.
130 */
131
132 static int
133 perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type,
134 uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password,
135 int sizelimit, int timelimit, int tcplimit, int dereference, void *referrals)
136 {
137 LDAPURLDesc *ludp = NULL;
138 LDAPMessage *result = NULL;
139 BerElement *ber;
140 LDAP_CONNECTION *lcp;
141
142 struct timeval timeout;
143 struct timeval *timeoutptr = NULL;
144
145 uschar *attr;
146 uschar **attrp;
147 uschar *data = NULL;
148 uschar *dn = NULL;
149 uschar *host;
150 uschar **values;
151 uschar **firstval;
152 uschar porttext[16];
153
154 uschar *error1 = NULL; /* string representation of errcode (static) */
155 uschar *error2 = NULL; /* error message from the server */
156 uschar *matched = NULL; /* partially matched DN */
157
158 int attr_count = 0;
159 int error_yield = DEFER;
160 int msgid;
161 int rc, ldap_rc, ldap_parse_rc;
162 int port;
163 int ptr = 0;
164 int rescount = 0;
165 int size = 0;
166 BOOL attribute_found = FALSE;
167 BOOL ldapi = FALSE;
168
169 DEBUG(D_lookup)
170 debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d "
171 "sizelimit=%d timelimit=%d tcplimit=%d\n",
172 (search_type == SEARCH_LDAP_MULTIPLE)? "m" :
173 (search_type == SEARCH_LDAP_DN)? "dn" :
174 (search_type == SEARCH_LDAP_AUTH)? "auth" : "",
175 ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
176
177 /* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
178 library that is in use doesn't recognize, say, "ldapi", it will barf here. */
179
180 if (!ldap_is_ldap_url(CS ldap_url))
181 {
182 *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
183 ldap_url);
184 goto RETURN_ERROR_BREAK;
185 }
186
187 /* Parse the URL */
188
189 if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
190 {
191 *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
192 ldap_url);
193 goto RETURN_ERROR_BREAK;
194 }
195
196 /* If the host name is empty, take it from the separate argument, if one is
197 given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
198 expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
199 2.0.11 this has changed (it uses NULL). */
200
201 if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL)
202 {
203 host = server;
204 port = s_port;
205 }
206 else
207 {
208 host = US ludp->lud_host;
209 if (host != NULL && host[0] == 0) host = NULL;
210 port = ludp->lud_port;
211 }
212
213 DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n",
214 host, port);
215
216 if (port == 0) port = LDAP_PORT; /* Default if none given */
217 sprintf(CS porttext, ":%d", port); /* For messages */
218
219 /* If the "host name" is actually a path, we are going to connect using a Unix
220 socket, regardless of whether "ldapi" was actually specified or not. This means
221 that a Unix socket can be declared in eldap_default_servers, and "traditional"
222 LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
223 The path may start with "/" or it may already be escaped as "%2F" if it was
224 actually declared that way in eldap_default_servers. (I did it that way the
225 first time.) If the host name is not a path, the use of "ldapi" causes an
226 error, except in the default case. (But lud_scheme doesn't seem to exist in
227 older libraries.) */
228
229 if (host != NULL)
230 {
231 if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
232 {
233 ldapi = TRUE;
234 porttext[0] = 0; /* Remove port from messages */
235 }
236
237 #if defined LDAP_LIB_OPENLDAP2
238 else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
239 {
240 *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
241 host);
242 goto RETURN_ERROR;
243 }
244 #endif
245 }
246
247 /* Count the attributes; we need this later to tell us how to format results */
248
249 for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
250 attr_count++;
251
252 /* See if we can find a cached connection to this host. The port is not
253 relevant for ldapi. The host name pointer is set to NULL if no host was given
254 (implying the library default), rather than to the empty string. Note that in
255 this case, there is no difference between ldap and ldapi. */
256
257 for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next)
258 {
259 if ((host == NULL) != (lcp->host == NULL) ||
260 (host != NULL && strcmpic(lcp->host, host) != 0))
261 continue;
262 if (ldapi || port == lcp->port) break;
263 }
264
265 /* Use this network timeout in any requests. */
266
267 if (tcplimit > 0)
268 {
269 timeout.tv_sec = tcplimit;
270 timeout.tv_usec = 0;
271 timeoutptr = &timeout;
272 }
273
274 /* If no cached connection found, we must open a connection to the server. If
275 the server name is actually an absolute path, we set ldapi=TRUE above. This
276 requests connection via a Unix socket. However, as far as I know, only OpenLDAP
277 supports the use of sockets, and the use of ldap_initialize(). */
278
279 if (lcp == NULL)
280 {
281 LDAP *ld;
282
283
284 /* --------------------------- OpenLDAP ------------------------ */
285
286 /* There seems to be a preference under OpenLDAP for ldap_initialize()
287 instead of ldap_init(), though I have as yet been unable to find
288 documentation that says this. (OpenLDAP documentation is sparse to
289 non-existent). So we handle OpenLDAP differently here. Also, support for
290 ldapi seems to be OpenLDAP-only at present. */
291
292 #ifdef LDAP_LIB_OPENLDAP2
293
294 /* We now need an empty string for the default host. Get some store in which
295 to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
296 than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
297 than the host name + "ldaps:///" plus : and a port number, say 20 + the
298 length of the host name. What we get should accommodate both, easily. */
299
300 uschar *shost = (host == NULL)? US"" : host;
301 uschar *init_url = store_get(20 + 3 * Ustrlen(shost));
302 uschar *init_ptr;
303
304 /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
305 contain the path name, with slashes escaped as %2F. */
306
307 if (ldapi)
308 {
309 int ch;
310 init_ptr = init_url + 8;
311 Ustrcpy(init_url, "ldapi://");
312 while ((ch = *shost++) != 0)
313 {
314 if (ch == '/')
315 {
316 Ustrncpy(init_ptr, "%2F", 3);
317 init_ptr += 3;
318 }
319 else *init_ptr++ = ch;
320 }
321 *init_ptr = 0;
322 }
323
324 /* This is not an ldapi call. Just build a URI with the protocol type, host
325 name, and port. */
326
327 else
328 {
329 init_ptr = Ustrchr(ldap_url, '/');
330 Ustrncpy(init_url, ldap_url, init_ptr - ldap_url);
331 init_ptr = init_url + (init_ptr - ldap_url);
332 sprintf(CS init_ptr, "//%s:%d/", shost, port);
333 }
334
335 /* Call ldap_initialize() and check the result */
336
337 DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url);
338 rc = ldap_initialize(&ld, CS init_url);
339 if (rc != LDAP_SUCCESS)
340 {
341 *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
342 rc, init_url);
343 goto RETURN_ERROR;
344 }
345 store_reset(init_url); /* Might as well save memory when we can */
346
347
348 /* ------------------------- Not OpenLDAP ---------------------- */
349
350 /* For libraries other than OpenLDAP, use ldap_init(). */
351
352 #else /* LDAP_LIB_OPENLDAP2 */
353 ld = ldap_init(CS host, port);
354 #endif /* LDAP_LIB_OPENLDAP2 */
355
356 /* -------------------------------------------------------------- */
357
358
359 /* Handle failure to initialize */
360
361 if (ld == NULL)
362 {
363 *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
364 host, porttext, strerror(errno));
365 goto RETURN_ERROR;
366 }
367
368 /* Set the TCP connect time limit if available. This is something that is
369 in Netscape SDK v4.1; I don't know about other libraries. */
370
371 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT
372 if (tcplimit > 0)
373 {
374 int timeout1000 = tcplimit*1000;
375 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
376 }
377 else
378 {
379 int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
380 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&notimeout);
381 }
382 #endif
383
384 /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
385
386 #ifdef LDAP_OPT_NETWORK_TIMEOUT
387 if (tcplimit > 0)
388 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
389 #endif
390
391 /* I could not get TLS to work until I set the version to 3. That version
392 seems to be the default nowadays. The RFC is dated 1997, so I would hope
393 that all the LDAP libraries support it. Therefore, if eldap_version hasn't
394 been set, go for v3 if we can. */
395
396 if (eldap_version < 0)
397 {
398 #ifdef LDAP_VERSION3
399 eldap_version = LDAP_VERSION3;
400 #else
401 eldap_version = 2;
402 #endif
403 }
404
405 #ifdef LDAP_OPT_PROTOCOL_VERSION
406 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
407 #endif
408
409 DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
410 eldap_version, host, porttext);
411
412 /* If not using ldapi and TLS is available, set appropriate TLS options: hard
413 for "ldaps" and soft otherwise. */
414
415 #ifdef LDAP_OPT_X_TLS
416 if (!ldapi)
417 {
418 int tls_option;
419 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
420 if (eldap_require_cert != NULL)
421 {
422 tls_option = LDAP_OPT_X_TLS_NEVER;
423 if (Ustrcmp(eldap_require_cert, "hard") == 0)
424 {
425 tls_option = LDAP_OPT_X_TLS_HARD;
426 }
427 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
428 {
429 tls_option = LDAP_OPT_X_TLS_DEMAND;
430 }
431 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
432 {
433 tls_option = LDAP_OPT_X_TLS_ALLOW;
434 }
435 else if (Ustrcmp(eldap_require_cert, "try") == 0)
436 {
437 tls_option = LDAP_OPT_X_TLS_TRY;
438 }
439 DEBUG(D_lookup)
440 debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
441 tls_option);
442 }
443 else
444 #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
445 if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
446 {
447 tls_option = LDAP_OPT_X_TLS_HARD;
448 DEBUG(D_lookup)
449 debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
450 }
451 else
452 {
453 tls_option = LDAP_OPT_X_TLS_TRY;
454 DEBUG(D_lookup)
455 debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
456 }
457 ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
458 }
459 #endif /* LDAP_OPT_X_TLS */
460
461 #ifdef LDAP_OPT_X_TLS_CACERTFILE
462 if (eldap_ca_cert_file != NULL)
463 {
464 ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
465 }
466 #endif
467 #ifdef LDAP_OPT_X_TLS_CACERTDIR
468 if (eldap_ca_cert_dir != NULL)
469 {
470 ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
471 }
472 #endif
473 #ifdef LDAP_OPT_X_TLS_CERTFILE
474 if (eldap_cert_file != NULL)
475 {
476 ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
477 }
478 #endif
479 #ifdef LDAP_OPT_X_TLS_KEYFILE
480 if (eldap_cert_key != NULL)
481 {
482 ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
483 }
484 #endif
485 #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
486 if (eldap_cipher_suite != NULL)
487 {
488 ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
489 }
490 #endif
491 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
492 if (eldap_require_cert != NULL)
493 {
494 int cert_option = LDAP_OPT_X_TLS_NEVER;
495 if (Ustrcmp(eldap_require_cert, "hard") == 0)
496 {
497 cert_option = LDAP_OPT_X_TLS_HARD;
498 }
499 else if (Ustrcmp(eldap_require_cert, "demand") == 0)
500 {
501 cert_option = LDAP_OPT_X_TLS_DEMAND;
502 }
503 else if (Ustrcmp(eldap_require_cert, "allow") == 0)
504 {
505 cert_option = LDAP_OPT_X_TLS_ALLOW;
506 }
507 else if (Ustrcmp(eldap_require_cert, "try") == 0)
508 {
509 cert_option = LDAP_OPT_X_TLS_TRY;
510 }
511 /* Use NULL ldap handle because is a global option */
512 ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
513 }
514 #endif
515
516 /* Now add this connection to the chain of cached connections */
517
518 lcp = store_get(sizeof(LDAP_CONNECTION));
519 lcp->host = (host == NULL)? NULL : string_copy(host);
520 lcp->bound = FALSE;
521 lcp->user = NULL;
522 lcp->password = NULL;
523 lcp->port = port;
524 lcp->ld = ld;
525 lcp->next = ldap_connections;
526 lcp->is_start_tls_called = FALSE;
527 ldap_connections = lcp;
528 }
529
530 /* Found cached connection */
531
532 else
533 {
534 DEBUG(D_lookup)
535 debug_printf("re-using cached connection to LDAP server %s%s\n",
536 host, porttext);
537 }
538
539 /* Bind with the user/password supplied, or an anonymous bind if these values
540 are NULL, unless a cached connection is already bound with the same values. */
541
542 if (!lcp->bound ||
543 (lcp->user == NULL && user != NULL) ||
544 (lcp->user != NULL && user == NULL) ||
545 (lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) ||
546 (lcp->password == NULL && password != NULL) ||
547 (lcp->password != NULL && password == NULL) ||
548 (lcp->password != NULL && password != NULL &&
549 Ustrcmp(lcp->password, password) != 0))
550 {
551 DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
552 (lcp->bound)? "re-" : "", user, password);
553 if (eldap_start_tls && !lcp->is_start_tls_called)
554 {
555 #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
556 /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
557 * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
558 * export an ldap_start_tls_s symbol.
559 */
560 if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
561 {
562 *errmsg = string_sprintf("failed to initiate TLS processing on an "
563 "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
564 " %s", host, porttext, rc, ldap_err2string(rc));
565 goto RETURN_ERROR;
566 }
567 lcp->is_start_tls_called = TRUE;
568 #else
569 DEBUG(D_lookup)
570 debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
571 #endif
572 }
573 if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
574 == -1)
575 {
576 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
577 "%s%s - ldap_bind() returned -1", host, porttext);
578 goto RETURN_ERROR;
579 }
580
581 if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
582 {
583 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
584 "%s%s - LDAP error: %s", host, porttext,
585 rc == -1 ? "result retrieval failed" : "timeout" );
586 result = NULL;
587 goto RETURN_ERROR;
588 }
589
590 rc = ldap_result2error( lcp->ld, result, 0 );
591
592 /* Invalid credentials when just checking credentials returns FAIL. This
593 stops any further servers being tried. */
594
595 if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
596 {
597 DEBUG(D_lookup)
598 debug_printf("Invalid credentials: ldapauth returns FAIL\n");
599 error_yield = FAIL;
600 goto RETURN_ERROR_NOMSG;
601 }
602
603 /* Otherwise we have a problem that doesn't stop further servers from being
604 tried. */
605
606 if (rc != LDAP_SUCCESS)
607 {
608 *errmsg = string_sprintf("failed to bind the LDAP connection to server "
609 "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
610 goto RETURN_ERROR;
611 }
612
613 /* Successful bind */
614
615 lcp->bound = TRUE;
616 lcp->user = (user == NULL)? NULL : string_copy(user);
617 lcp->password = (password == NULL)? NULL : string_copy(password);
618
619 ldap_msgfree(result);
620 result = NULL;
621 }
622
623 /* If we are just checking credentials, return OK. */
624
625 if (search_type == SEARCH_LDAP_AUTH)
626 {
627 DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n");
628 goto RETURN_OK;
629 }
630
631 /* Before doing the search, set the time and size limits (if given). Here again
632 the different implementations of LDAP have chosen to do things differently. */
633
634 #if defined(LDAP_OPT_SIZELIMIT)
635 ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
636 ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
637 #else
638 lcp->ld->ld_sizelimit = sizelimit;
639 lcp->ld->ld_timelimit = timelimit;
640 #endif
641
642 /* Similarly for dereferencing aliases. Don't know if this is possible on
643 an LDAP library without LDAP_OPT_DEREF. */
644
645 #if defined(LDAP_OPT_DEREF)
646 ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
647 #endif
648
649 /* Similarly for the referral setting; should the library follow referrals that
650 the LDAP server returns? The conditional is just in case someone uses a library
651 without it. */
652
653 #if defined(LDAP_OPT_REFERRALS)
654 ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
655 #endif
656
657 /* Start the search on the server. */
658
659 DEBUG(D_lookup) debug_printf("Start search\n");
660
661 msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
662 ludp->lud_attrs, 0);
663
664 if (msgid == -1)
665 {
666 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
667 int err;
668 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
669 *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
670 ldap_err2string(err));
671
672 #else
673 *errmsg = string_sprintf("ldap_search failed");
674 #endif
675
676 goto RETURN_ERROR;
677 }
678
679 /* Loop to pick up results as they come in, setting a timeout if one was
680 given. */
681
682 while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
683 LDAP_RES_SEARCH_ENTRY)
684 {
685 LDAPMessage *e;
686
687 DEBUG(D_lookup) debug_printf("ldap_result loop\n");
688
689 for(e = ldap_first_entry(lcp->ld, result);
690 e != NULL;
691 e = ldap_next_entry(lcp->ld, e))
692 {
693 uschar *new_dn;
694 BOOL insert_space = FALSE;
695
696 DEBUG(D_lookup) debug_printf("LDAP entry loop\n");
697
698 rescount++; /* Count results */
699
700 /* Results for multiple entries values are separated by newlines. */
701
702 if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1);
703
704 /* Get the DN from the last result. */
705
706 new_dn = US ldap_get_dn(lcp->ld, e);
707 if (new_dn != NULL)
708 {
709 if (dn != NULL)
710 {
711 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
712 ldap_memfree(dn);
713 #else /* OPENLDAP 1, UMich, Solaris */
714 free(dn);
715 #endif
716 }
717 /* Save for later */
718 dn = new_dn;
719 }
720
721 /* If the data we want is actually the DN rather than any attribute values,
722 (an "ldapdn" search) add it to the data string. If there are multiple
723 entries, the DNs will be concatenated, but we test for this case below, as
724 for SEARCH_LDAP_SINGLE, and give an error. */
725
726 if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */
727 { /* condition, because of the else */
728 if (new_dn != NULL) /* below, that's for the first only */
729 {
730 data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn));
731 data[ptr] = 0;
732 attribute_found = TRUE;
733 }
734 }
735
736 /* Otherwise, loop through the entry, grabbing attribute values. If there's
737 only one attribute being retrieved, no attribute name is given, and the
738 result is not quoted. Multiple values are separated by (comma, space).
739 If more than one attribute is being retrieved, the data is given as a
740 sequence of name=value pairs, with the value always in quotes. If there are
741 multiple values, they are given within the quotes, comma separated. */
742
743 else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
744 attr != NULL;
745 attr = US ldap_next_attribute(lcp->ld, e, ber))
746 {
747 if (attr[0] != 0)
748 {
749 /* Get array of values for this attribute. */
750
751 if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
752 != NULL)
753 {
754 if (attr_count != 1)
755 {
756 if (insert_space)
757 data = string_cat(data, &size, &ptr, US" ", 1);
758 else
759 insert_space = TRUE;
760 data = string_cat(data, &size, &ptr, attr, Ustrlen(attr));
761 data = string_cat(data, &size, &ptr, US"=\"", 2);
762 }
763
764 while (*values != NULL)
765 {
766 uschar *value = *values;
767 int len = Ustrlen(value);
768
769 DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value);
770
771 if (values != firstval)
772 data = string_cat(data, &size, &ptr, US",", 1);
773
774 /* For multiple attributes, the data is in quotes. We must escape
775 internal quotes, backslashes, newlines, and must double commas. */
776
777 if (attr_count != 1)
778 {
779 int j;
780 for (j = 0; j < len; j++)
781 {
782 if (value[j] == '\n')
783 data = string_cat(data, &size, &ptr, US"\\n", 2);
784 else if (value[j] == ',')
785 data = string_cat(data, &size, &ptr, US",,", 2);
786 else
787 {
788 if (value[j] == '\"' || value[j] == '\\')
789 data = string_cat(data, &size, &ptr, US"\\", 1);
790 data = string_cat(data, &size, &ptr, value+j, 1);
791 }
792 }
793 }
794
795 /* For single attributes, just double commas */
796
797 else
798 {
799 int j;
800 for (j = 0; j < len; j++)
801 {
802 if (value[j] == ',')
803 data = string_cat(data, &size, &ptr, US",,", 2);
804 else
805 data = string_cat(data, &size, &ptr, value+j, 1);
806 }
807 }
808
809
810 /* Move on to the next value */
811
812 values++;
813 attribute_found = TRUE;
814 }
815
816 /* Closing quote at the end of the data for a named attribute. */
817
818 if (attr_count != 1)
819 data = string_cat(data, &size, &ptr, US"\"", 1);
820
821 /* Free the values */
822
823 ldap_value_free(CSS firstval);
824 }
825 }
826
827 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
828
829 /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
830 to be freed. UMich LDAP stores them in static storage and does not require
831 this. */
832
833 ldap_memfree(attr);
834 #endif
835 } /* End "for" loop for extracting attributes from an entry */
836 } /* End "for" loop for extracting entries from a result */
837
838 /* Free the result */
839
840 ldap_msgfree(result);
841 result = NULL;
842 } /* End "while" loop for multiple results */
843
844 /* Terminate the dynamic string that we have built and reclaim unused store */
845
846 if (data != NULL)
847 {
848 data[ptr] = 0;
849 store_reset(data + ptr + 1);
850 }
851
852 /* Copy the last dn into eldap_dn */
853
854 if (dn != NULL)
855 {
856 eldap_dn = string_copy(dn);
857 #if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
858 ldap_memfree(dn);
859 #else /* OPENLDAP 1, UMich, Solaris */
860 free(dn);
861 #endif
862 }
863
864 DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc);
865
866 if (rc == 0)
867 {
868 *errmsg = US"ldap_result timed out";
869 goto RETURN_ERROR;
870 }
871
872 /* A return code of -1 seems to mean "ldap_result failed internally or couldn't
873 provide you with a message". Other error states seem to exist where
874 ldap_result() didn't give us any message from the server at all, leaving result
875 set to NULL. Apparently, "the error parameters of the LDAP session handle will
876 be set accordingly". That's the best we can do to retrieve an error status; we
877 can't use functions like ldap_result2error because they parse a message from
878 the server, which we didn't get.
879
880 Annoyingly, the different implementations of LDAP have gone for different
881 methods of handling error codes and generating error messages. */
882
883 if (rc == -1 || result == NULL)
884 {
885 int err;
886 DEBUG(D_lookup) debug_printf("ldap_result failed\n");
887
888 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
889 ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
890 *errmsg = string_sprintf("ldap_result failed: %d, %s",
891 err, ldap_err2string(err));
892
893 #elif defined LDAP_LIB_NETSCAPE
894 /* Dubious (surely 'matched' is spurious here?) */
895 (void)ldap_get_lderrno(lcp->ld, &matched, &error1);
896 *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
897
898 #else /* UMich LDAP aka OpenLDAP 1.x */
899 *errmsg = string_sprintf("ldap_result failed: %d, %s",
900 lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
901 #endif
902
903 goto RETURN_ERROR;
904 }
905
906 /* A return code that isn't -1 doesn't necessarily mean there were no problems
907 with the search. The message must be an LDAP_RES_SEARCH_RESULT or
908 LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
909 of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
910 we don't provide that functionality when we can't. :-) */
911
912 if (rc != LDAP_RES_SEARCH_RESULT
913 #ifdef LDAP_RES_SEARCH_REFERENCE
914 && rc != LDAP_RES_SEARCH_REFERENCE
915 #endif
916 )
917 {
918 *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
919 goto RETURN_ERROR;
920 }
921
922 /* We have a result message from the server. This doesn't yet mean all is well.
923 We need to parse the message to find out exactly what's happened. */
924
925 #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
926 ldap_rc = rc;
927 ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
928 CSS &error2, NULL, NULL, 0);
929 DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
930 if (ldap_parse_rc < 0 &&
931 (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
932 #ifdef LDAP_RES_SEARCH_REFERENCE
933 || ldap_rc != LDAP_RES_SEARCH_REFERENCE
934 #endif
935 ))
936 {
937 *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
938 goto RETURN_ERROR;
939 }
940 error1 = US ldap_err2string(rc);
941
942 #elif defined LDAP_LIB_NETSCAPE
943 /* Dubious (it doesn't reference 'result' at all!) */
944 rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
945
946 #else /* UMich LDAP aka OpenLDAP 1.x */
947 rc = ldap_result2error(lcp->ld, result, 0);
948 error1 = ldap_err2string(rc);
949 error2 = lcp->ld->ld_error;
950 matched = lcp->ld->ld_matched;
951 #endif
952
953 /* Process the status as follows:
954
955 (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
956 truncated result list.
957
958 (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
959 submitted patch that is reported to "do the right thing" with Solaris
960 LDAP libraries. (The problem it addresses apparently does not occur with
961 Open LDAP.)
962
963 (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
964 object does not, or cannot, exist in the database". For those cases we
965 fail the lookup.
966
967 (4) All other non-successes here are treated as some kind of problem with
968 the lookup, so return DEFER (which is the default in error_yield).
969 */
970
971 DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
972 rc, ldap_err2string(rc));
973
974 if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
975 #ifdef LDAP_RES_SEARCH_REFERENCE
976 && rc != LDAP_RES_SEARCH_REFERENCE
977 #endif
978 )
979 {
980 *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
981 rc,
982 (error1 != NULL)? error1 : US"",
983 (error2 != NULL && error2[0] != 0)? US"/" : US"",
984 (error2 != NULL)? error2 : US"",
985 (matched != NULL && matched[0] != 0)? US"/" : US"",
986 (matched != NULL)? matched : US"");
987
988 #if defined LDAP_NAME_ERROR
989 if (LDAP_NAME_ERROR(rc))
990 #elif defined NAME_ERROR /* OPENLDAP1 calls it this */
991 if (NAME_ERROR(rc))
992 #else
993 if (rc == LDAP_NO_SUCH_OBJECT)
994 #endif
995
996 {
997 DEBUG(D_lookup) debug_printf("lookup failure forced\n");
998 error_yield = FAIL;
999 }
1000 goto RETURN_ERROR;
1001 }
1002
1003 /* The search succeeded. Check if we have too many results */
1004
1005 if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
1006 {
1007 *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
1008 "(filter not specific enough?)", rescount);
1009 goto RETURN_ERROR_BREAK;
1010 }
1011
1012 /* Check if we have too few (zero) entries */
1013
1014 if (rescount < 1)
1015 {
1016 *errmsg = string_sprintf("LDAP search: no results");
1017 error_yield = FAIL;
1018 goto RETURN_ERROR_BREAK;
1019 }
1020
1021 /* If an entry was found, but it had no attributes, we behave as if no entries
1022 were found, that is, the lookup failed. */
1023
1024 if (!attribute_found)
1025 {
1026 *errmsg = US"LDAP search: found no attributes";
1027 error_yield = FAIL;
1028 goto RETURN_ERROR;
1029 }
1030
1031 /* Otherwise, it's all worked */
1032
1033 DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
1034 *res = data;
1035
1036 RETURN_OK:
1037 if (result != NULL) ldap_msgfree(result);
1038 ldap_free_urldesc(ludp);
1039 return OK;
1040
1041 /* Error returns */
1042
1043 RETURN_ERROR_BREAK:
1044 *defer_break = TRUE;
1045
1046 RETURN_ERROR:
1047 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1048
1049 RETURN_ERROR_NOMSG:
1050 if (result != NULL) ldap_msgfree(result);
1051 if (ludp != NULL) ldap_free_urldesc(ludp);
1052
1053 #if defined LDAP_LIB_OPENLDAP2
1054 if (error2 != NULL) ldap_memfree(error2);
1055 if (matched != NULL) ldap_memfree(matched);
1056 #endif
1057
1058 return error_yield;
1059 }
1060
1061
1062
1063 /*************************************************
1064 * Internal search control function *
1065 *************************************************/
1066
1067 /* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(),
1068 and eldapm_find() with a difference in the "search_type" argument. It controls
1069 calls to perform_ldap_search() which actually does the work. We call that
1070 repeatedly for certain types of defer in the case when the URL contains no host
1071 name and eldap_default_servers is set to a list of servers to try. This gives
1072 more control than just passing over a list of hosts to ldap_open() because it
1073 handles other kinds of defer as well as just a failure to open. Note that the
1074 URL is defined to contain either zero or one "hostport" only.
1075
1076 Parameter data in addition to the URL can be passed as preceding text in the
1077 string, as items of the form XXX=yyy. The URL itself can be detected because it
1078 must begin "ldapx://", where x is empty, s, or i.
1079
1080 Arguments:
1081 ldap_url the URL to be looked up, optionally preceded by other parameter
1082 settings
1083 search_type SEARCH_LDAP_MULTIPLE allows values from multiple entries
1084 SEARCH_LDAP_SINGLE allows values from one entry only
1085 SEARCH_LDAP_DN gets the DN from one entry
1086 res set to point at the result
1087 errmsg set to point a message if result is not OK
1088
1089 Returns: OK or FAIL or DEFER
1090 */
1091
1092 static int
1093 control_ldap_search(uschar *ldap_url, int search_type, uschar **res,
1094 uschar **errmsg)
1095 {
1096 BOOL defer_break = FALSE;
1097 int timelimit = LDAP_NO_LIMIT;
1098 int sizelimit = LDAP_NO_LIMIT;
1099 int tcplimit = 0;
1100 int sep = 0;
1101 int dereference = LDAP_DEREF_NEVER;
1102 void* referrals = LDAP_OPT_ON;
1103 uschar *url = ldap_url;
1104 uschar *p;
1105 uschar *user = NULL;
1106 uschar *password = NULL;
1107 uschar *server, *list;
1108 uschar buffer[512];
1109
1110 while (isspace(*url)) url++;
1111
1112 /* Until the string begins "ldap", search for the other parameter settings that
1113 are recognized. They are of the form NAME=VALUE, with the value being
1114 optionally double-quoted. There must still be a space after it, however. No
1115 NAME has the value "ldap". */
1116
1117 while (strncmpic(url, US"ldap", 4) != 0)
1118 {
1119 uschar *name = url;
1120 while (*url != 0 && *url != '=') url++;
1121 if (*url == '=')
1122 {
1123 int namelen;
1124 uschar *value;
1125 namelen = ++url - name;
1126 value = string_dequote(&url);
1127 if (isspace(*url))
1128 {
1129 if (strncmpic(name, US"USER=", namelen) == 0) user = value;
1130 else if (strncmpic(name, US"PASS=", namelen) == 0) password = value;
1131 else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value);
1132 else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
1133 else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
1134 else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
1135
1136 /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
1137
1138 #ifdef LDAP_OPT_DEREF
1139 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1140 {
1141 if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER;
1142 else if (strcmpic(value, US"searching") == 0)
1143 dereference = LDAP_DEREF_SEARCHING;
1144 else if (strcmpic(value, US"finding") == 0)
1145 dereference = LDAP_DEREF_FINDING;
1146 if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS;
1147 }
1148 #else
1149 else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
1150 {
1151 *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP "
1152 "library - cannot use \"dereference\"");
1153 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1154 return DEFER;
1155 }
1156 #endif
1157
1158 #ifdef LDAP_OPT_REFERRALS
1159 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1160 {
1161 if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON;
1162 else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF;
1163 else
1164 {
1165 *errmsg = string_sprintf("LDAP option REFERRALS is not \"follow\" "
1166 "or \"nofollow\"");
1167 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1168 return DEFER;
1169 }
1170 }
1171 #else
1172 else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
1173 {
1174 *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP "
1175 "library - cannot use \"referrals\"");
1176 DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
1177 return DEFER;
1178 }
1179 #endif
1180
1181 else
1182 {
1183 *errmsg =
1184 string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL",
1185 namelen, name);
1186 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1187 return DEFER;
1188 }
1189 while (isspace(*url)) url++;
1190 continue;
1191 }
1192 }
1193 *errmsg = US"malformed parameter setting precedes LDAP URL";
1194 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1195 return DEFER;
1196 }
1197
1198 /* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves,
1199 but it seems that not all behave like this. The DN for the user is often the
1200 result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because
1201 that is needed when the DN is used as a base DN in a query. Sigh. This is all
1202 far too complicated. */
1203
1204 if (user != NULL)
1205 {
1206 uschar *s;
1207 uschar *t = user;
1208 for (s = user; *s != 0; s++)
1209 {
1210 int c, d;
1211 if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2]))
1212 {
1213 c = tolower(c);
1214 d = tolower(d);
1215 *t++ =
1216 (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) |
1217 ((d >= 'a')? (10 + d - 'a') : d - '0');
1218 s += 2;
1219 }
1220 else *t++ = *s;
1221 }
1222 *t = 0;
1223 }
1224
1225 DEBUG(D_lookup)
1226 debug_printf("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d "
1227 "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit,
1228 tcplimit, dereference, (referrals == LDAP_OPT_ON)? "on" : "off");
1229
1230 /* If the request is just to check authentication, some credentials must
1231 be given. The password must not be empty because LDAP binds with an empty
1232 password are considered anonymous, and will succeed on most installations. */
1233
1234 if (search_type == SEARCH_LDAP_AUTH)
1235 {
1236 if (user == NULL || password == NULL)
1237 {
1238 *errmsg = US"ldapauth lookups must specify the username and password";
1239 return DEFER;
1240 }
1241 if (password[0] == 0)
1242 {
1243 DEBUG(D_lookup) debug_printf("Empty password: ldapauth returns FAIL\n");
1244 return FAIL;
1245 }
1246 }
1247
1248 /* Check for valid ldap url starters */
1249
1250 p = url + 4;
1251 if (tolower(*p) == 's' || tolower(*p) == 'i') p++;
1252 if (Ustrncmp(p, "://", 3) != 0)
1253 {
1254 *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", "
1255 "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url);
1256 DEBUG(D_lookup) debug_printf("LDAP query error: %s\n", *errmsg);
1257 return DEFER;
1258 }
1259
1260 /* No default servers, or URL contains a server name: just one attempt */
1261
1262 if (eldap_default_servers == NULL || p[3] != '/')
1263 {
1264 return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
1265 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1266 referrals);
1267 }
1268
1269 /* Loop through the default servers until OK or FAIL */
1270
1271 list = eldap_default_servers;
1272 while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
1273 {
1274 int rc;
1275 int port = 0;
1276 uschar *colon = Ustrchr(server, ':');
1277 if (colon != NULL)
1278 {
1279 *colon = 0;
1280 port = Uatoi(colon+1);
1281 }
1282 rc = perform_ldap_search(url, server, port, search_type, res, errmsg,
1283 &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
1284 referrals);
1285 if (rc != DEFER || defer_break) return rc;
1286 }
1287
1288 return DEFER;
1289 }
1290
1291
1292
1293 /*************************************************
1294 * Find entry point *
1295 *************************************************/
1296
1297 /* See local README for interface description. The different kinds of search
1298 are handled by a common function, with a flag to differentiate between them.
1299 The handle and filename arguments are not used. */
1300
1301 static int
1302 eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1303 uschar **result, uschar **errmsg, BOOL *do_cache)
1304 {
1305 /* Keep picky compilers happy */
1306 do_cache = do_cache;
1307 return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
1308 }
1309
1310 static int
1311 eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1312 uschar **result, uschar **errmsg, BOOL *do_cache)
1313 {
1314 /* Keep picky compilers happy */
1315 do_cache = do_cache;
1316 return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
1317 }
1318
1319 static int
1320 eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1321 uschar **result, uschar **errmsg, BOOL *do_cache)
1322 {
1323 /* Keep picky compilers happy */
1324 do_cache = do_cache;
1325 return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
1326 }
1327
1328 int
1329 eldapauth_find(void *handle, uschar *filename, uschar *ldap_url, int length,
1330 uschar **result, uschar **errmsg, BOOL *do_cache)
1331 {
1332 /* Keep picky compilers happy */
1333 do_cache = do_cache;
1334 return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg));
1335 }
1336
1337
1338
1339 /*************************************************
1340 * Open entry point *
1341 *************************************************/
1342
1343 /* See local README for interface description. */
1344
1345 static void *
1346 eldap_open(uschar *filename, uschar **errmsg)
1347 {
1348 return (void *)(1); /* Just return something non-null */
1349 }
1350
1351
1352
1353 /*************************************************
1354 * Tidy entry point *
1355 *************************************************/
1356
1357 /* See local README for interface description.
1358 Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
1359
1360 static void
1361 eldap_tidy(void)
1362 {
1363 LDAP_CONNECTION *lcp = NULL;
1364 eldap_dn = NULL;
1365
1366 while ((lcp = ldap_connections) != NULL)
1367 {
1368 DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
1369 lcp->port);
1370 ldap_unbind(lcp->ld);
1371 ldap_connections = lcp->next;
1372 }
1373 }
1374
1375
1376
1377 /*************************************************
1378 * Quote entry point *
1379 *************************************************/
1380
1381 /* LDAP quoting is unbelievably messy. For a start, two different levels of
1382 quoting have to be done: LDAP quoting, and URL quoting. The current
1383 specification is the result of a suggestion by Brian Candler. It recognizes
1384 two separate cases:
1385
1386 (1) For text that appears in a search filter, the following escapes are
1387 required (see RFC 2254):
1388
1389 * -> \2A
1390 ( -> \28
1391 ) -> \29
1392 \ -> \5C
1393 NULL -> \00
1394
1395 Then the entire filter text must be URL-escaped. This kind of quoting is
1396 implemented by ${quote_ldap:....}. Note that we can never have a NULL
1397 in the input string, because that's a terminator.
1398
1399 (2) For a DN that is part of a URL (i.e. the base DN), the characters
1400
1401 , + " \ < > ;
1402
1403 must be quoted by backslashing. See RFC 2253. Leading and trailing spaces
1404 must be escaped, as must a leading #. Then the string must be URL-quoted.
1405 This type of quoting is implemented by ${quote_ldap_dn:....}.
1406
1407 For URL quoting, the only characters that need not be quoted are the
1408 alphamerics and
1409
1410 ! $ ' ( ) * + - . _
1411
1412 All the others must be hexified and preceded by %. This includes the
1413 backslashes used for LDAP quoting.
1414
1415 For a DN that is given in the USER parameter for authentication, we need the
1416 same initial quoting as (2) but in this case, the result must NOT be
1417 URL-escaped, because it isn't a URL. The way this is handled is by
1418 de-URL-quoting the text when processing the USER parameter in
1419 control_ldap_search() above. That means that the same quote operator can be
1420 used. This has the additional advantage that spaces in the DN won't cause
1421 parsing problems. For example:
1422
1423 USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com
1424
1425 should be safe if there are spaces in $1.
1426
1427
1428 Arguments:
1429 s the string to be quoted
1430 opt additional option text or NULL if none
1431 only "dn" is recognized
1432
1433 Returns: the processed string or NULL for a bad option
1434 */
1435
1436
1437
1438 /* The characters in this string, together with alphanumerics, never need
1439 quoting in any way. */
1440
1441 #define ALWAYS_LITERAL "!$'-._"
1442
1443 /* The special characters in this string do not need to be URL-quoted. The set
1444 is a bit larger than the general literals. */
1445
1446 #define URL_NONQUOTE ALWAYS_LITERAL "()*+"
1447
1448 /* The following macros define the characters that are quoted by quote_ldap and
1449 quote_ldap_dn, respectively. */
1450
1451 #define LDAP_QUOTE "*()\\"
1452 #define LDAP_DN_QUOTE ",+\"\\<>;"
1453
1454
1455
1456 static uschar *
1457 eldap_quote(uschar *s, uschar *opt)
1458 {
1459 register int c;
1460 int count = 0;
1461 int len = 0;
1462 BOOL dn = FALSE;
1463 uschar *t = s;
1464 uschar *quoted;
1465
1466 /* Test for a DN quotation. */
1467
1468 if (opt != NULL)
1469 {
1470 if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */
1471 dn = TRUE;
1472 }
1473
1474 /* Compute how much extra store we need for the string. This doesn't have to be
1475 exact as long as it isn't an underestimate. The worst case is the addition of 5
1476 extra bytes for a single character. This occurs for certain characters in DNs,
1477 where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each
1478 possibly escaped character. The really fast way would be just to test for
1479 non-alphanumerics, but it is probably better to spot a few others that are
1480 never escaped, because if there are no specials at all, we can avoid copying
1481 the string. */
1482
1483 while ((c = *t++) != 0)
1484 {
1485 len++;
1486 if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5;
1487 }
1488 if (count == 0) return s;
1489
1490 /* Get sufficient store to hold the quoted string */
1491
1492 t = quoted = store_get(len + count + 1);
1493
1494 /* Handle plain quote_ldap */
1495
1496 if (!dn)
1497 {
1498 while ((c = *s++) != 0)
1499 {
1500 if (!isalnum(c))
1501 {
1502 if (Ustrchr(LDAP_QUOTE, c) != NULL)
1503 {
1504 sprintf(CS t, "%%5C%02X", c); /* e.g. * => %5C2A */
1505 t += 5;
1506 continue;
1507 }
1508 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1509 {
1510 sprintf(CS t, "%%%02X", c);
1511 t += 3;
1512 continue;
1513 }
1514 }
1515 *t++ = c; /* unquoted character */
1516 }
1517 }
1518
1519 /* Handle quote_ldap_dn */
1520
1521 else
1522 {
1523 uschar *ss = s + len;
1524
1525 /* Find the last char before any trailing spaces */
1526
1527 while (ss > s && ss[-1] == ' ') ss--;
1528
1529 /* Quote leading spaces and sharps */
1530
1531 for (; s < ss; s++)
1532 {
1533 if (*s != ' ' && *s != '#') break;
1534 sprintf(CS t, "%%5C%%%02X", *s);
1535 t += 6;
1536 }
1537
1538 /* Handle the rest of the string, up to the trailing spaces */
1539
1540 while (s < ss)
1541 {
1542 c = *s++;
1543 if (!isalnum(c))
1544 {
1545 if (Ustrchr(LDAP_DN_QUOTE, c) != NULL)
1546 {
1547 Ustrncpy(t, "%5C", 3); /* insert \ where needed */
1548 t += 3; /* fall through to check URL */
1549 }
1550 if (Ustrchr(URL_NONQUOTE, c) == NULL) /* e.g. ] => %5D */
1551 {
1552 sprintf(CS t, "%%%02X", c);
1553 t += 3;
1554 continue;
1555 }
1556 }
1557 *t++ = c; /* unquoted character, or non-URL quoted after %5C */
1558 }
1559
1560 /* Handle the trailing spaces */
1561
1562 while (*ss++ != 0)
1563 {
1564 Ustrncpy(t, "%5C%20", 6);
1565 t += 6;
1566 }
1567 }
1568
1569 /* Terminate the new string and return */
1570
1571 *t = 0;
1572 return quoted;
1573 }
1574
1575
1576
1577 /*************************************************
1578 * Version reporting entry point *
1579 *************************************************/
1580
1581 /* See local README for interface description. */
1582
1583 #include "../version.h"
1584
1585 void
1586 ldap_version_report(FILE *f)
1587 {
1588 #ifdef DYNLOOKUP
1589 fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
1590 #endif
1591 }
1592
1593
1594 static lookup_info ldap_lookup_info = {
1595 US"ldap", /* lookup name */
1596 lookup_querystyle, /* query-style lookup */
1597 eldap_open, /* open function */
1598 NULL, /* check function */
1599 eldap_find, /* find function */
1600 NULL, /* no close function */
1601 eldap_tidy, /* tidy function */
1602 eldap_quote, /* quoting function */
1603 ldap_version_report /* version reporting */
1604 };
1605
1606 static lookup_info ldapdn_lookup_info = {
1607 US"ldapdn", /* lookup name */
1608 lookup_querystyle, /* query-style lookup */
1609 eldap_open, /* sic */ /* open function */
1610 NULL, /* check function */
1611 eldapdn_find, /* find function */
1612 NULL, /* no close function */
1613 eldap_tidy, /* sic */ /* tidy function */
1614 eldap_quote, /* sic */ /* quoting function */
1615 NULL /* no version reporting (redundant) */
1616 };
1617
1618 static lookup_info ldapm_lookup_info = {
1619 US"ldapm", /* lookup name */
1620 lookup_querystyle, /* query-style lookup */
1621 eldap_open, /* sic */ /* open function */
1622 NULL, /* check function */
1623 eldapm_find, /* find function */
1624 NULL, /* no close function */
1625 eldap_tidy, /* sic */ /* tidy function */
1626 eldap_quote, /* sic */ /* quoting function */
1627 NULL /* no version reporting (redundant) */
1628 };
1629
1630 #ifdef DYNLOOKUP
1631 #define ldap_lookup_module_info _lookup_module_info
1632 #endif
1633
1634 static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
1635 lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
1636
1637 /* End of lookups/ldap.c */
Unnamed repository; edit this file 'description' to name the repository.