1 /*
2 * mod_authn_ldap - HTTP Auth LDAP backend
3 *
4 * Fully-rewritten from original
5 * Copyright(c) 2016 Glenn Strauss gstrauss()gluelogic.com All rights reserved
6 * License: BSD 3-clause (same as lighttpd)
7 */
8 #include "first.h"
9
10 #include <stdlib.h>
11 #include <string.h>
12
13 #include <ldap.h>
14
15 #include "mod_auth_api.h"
16 #include "base.h"
17 #include "log.h"
18 #include "plugin.h"
19
20 typedef struct {
21 LDAP *ldap;
22 log_error_st *errh;
23 const char *auth_ldap_hostname;
24 const char *auth_ldap_binddn;
25 const char *auth_ldap_bindpw;
26 const char *auth_ldap_cafile;
27 int auth_ldap_starttls;
28 struct timeval auth_ldap_timeout;
29 } plugin_config_ldap;
30
31 typedef struct {
32 plugin_config_ldap *ldc;
33 const char *auth_ldap_basedn;
34 const buffer *auth_ldap_filter;
35 const buffer *auth_ldap_groupmember;
36 int auth_ldap_allow_empty_pw;
37
38 int auth_ldap_starttls;
39 const char *auth_ldap_binddn;
40 const char *auth_ldap_bindpw;
41 const char *auth_ldap_cafile;
42 } plugin_config;
43
44 typedef struct {
45 PLUGIN_DATA;
46 plugin_config defaults;
47 plugin_config conf;
48
49 buffer ldap_filter;
50 } plugin_data;
51
52 static const char *default_cafile;
53
54 static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
55
INIT_FUNC(mod_authn_ldap_init)56 INIT_FUNC(mod_authn_ldap_init) {
57 static http_auth_backend_t http_auth_backend_ldap =
58 { "ldap", mod_authn_ldap_basic, NULL, NULL };
59 plugin_data *p = calloc(1, sizeof(*p));
60
61 /* register http_auth_backend_ldap */
62 http_auth_backend_ldap.p_d = p;
63 http_auth_backend_set(&http_auth_backend_ldap);
64
65 return p;
66 }
67
FREE_FUNC(mod_authn_ldap_free)68 FREE_FUNC(mod_authn_ldap_free) {
69 plugin_data * const p = p_d;
70 if (NULL == p->cvlist) return;
71 /* (init i to 0 if global context; to 1 to skip empty global context) */
72 for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
73 config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
74 for (; -1 != cpv->k_id; ++cpv) {
75 switch (cpv->k_id) {
76 case 0: /* auth.backend.ldap.hostname */
77 if (cpv->vtype == T_CONFIG_LOCAL) {
78 plugin_config_ldap *s = cpv->v.v;
79 if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
80 free(s);
81 }
82 break;
83 default:
84 break;
85 }
86 }
87 }
88
89 free(p->ldap_filter.ptr);
90 default_cafile = NULL;
91 }
92
mod_authn_ldap_merge_config_cpv(plugin_config * const pconf,const config_plugin_value_t * const cpv)93 static void mod_authn_ldap_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
94 switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
95 case 0: /* auth.backend.ldap.hostname */
96 if (cpv->vtype == T_CONFIG_LOCAL)
97 pconf->ldc = cpv->v.v;
98 break;
99 case 1: /* auth.backend.ldap.base-dn */
100 if (cpv->vtype == T_CONFIG_LOCAL)
101 pconf->auth_ldap_basedn = cpv->v.v;
102 break;
103 case 2: /* auth.backend.ldap.filter */
104 pconf->auth_ldap_filter = cpv->v.v;
105 break;
106 case 3: /* auth.backend.ldap.ca-file */
107 pconf->auth_ldap_cafile = cpv->v.v;
108 break;
109 case 4: /* auth.backend.ldap.starttls */
110 pconf->auth_ldap_starttls = (int)cpv->v.u;
111 break;
112 case 5: /* auth.backend.ldap.bind-dn */
113 pconf->auth_ldap_binddn = cpv->v.v;
114 break;
115 case 6: /* auth.backend.ldap.bind-pw */
116 pconf->auth_ldap_bindpw = cpv->v.v;
117 break;
118 case 7: /* auth.backend.ldap.allow-empty-pw */
119 pconf->auth_ldap_allow_empty_pw = (int)cpv->v.u;
120 break;
121 case 8: /* auth.backend.ldap.groupmember */
122 pconf->auth_ldap_groupmember = cpv->v.b;
123 break;
124 case 9: /* auth.backend.ldap.timeout */
125 /*(not implemented as any-scope override;
126 * supported in same scope as auth.backend.ldap.hostname)*/
127 /*pconf->auth_ldap_timeout = cpv->v.b;*/
128 break;
129 default:/* should not happen */
130 return;
131 }
132 }
133
mod_authn_ldap_merge_config(plugin_config * const pconf,const config_plugin_value_t * cpv)134 static void mod_authn_ldap_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv) {
135 do {
136 mod_authn_ldap_merge_config_cpv(pconf, cpv);
137 } while ((++cpv)->k_id != -1);
138 }
139
mod_authn_ldap_patch_config(request_st * const r,plugin_data * const p)140 static void mod_authn_ldap_patch_config(request_st * const r, plugin_data * const p) {
141 memcpy(&p->conf, &p->defaults, sizeof(plugin_config));
142 for (int i = 1, used = p->nconfig; i < used; ++i) {
143 if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
144 mod_authn_ldap_merge_config(&p->conf,
145 p->cvlist + p->cvlist[i].v.u2[0]);
146 }
147 }
148
149 /*(copied from mod_vhostdb_ldap.c)*/
mod_authn_add_scheme(server * srv,buffer * host)150 static void mod_authn_add_scheme (server *srv, buffer *host)
151 {
152 if (!buffer_is_blank(host)) {
153 /* reformat hostname(s) as LDAP URIs (scheme://host:port) */
154 static const char *schemes[] = {
155 "ldap://", "ldaps://", "ldapi://", "cldap://"
156 };
157 char *b, *e = host->ptr;
158 buffer * const tb = srv->tmp_buf;
159 buffer_clear(tb);
160 while (*(b = e)) {
161 unsigned int j;
162 while (*b==' '||*b=='\t'||*b=='\r'||*b=='\n'||*b==',') ++b;
163 if (*b == '\0') break;
164 e = b;
165 while (*e!=' '&&*e!='\t'&&*e!='\r'&&*e!='\n'&&*e!=','&&*e!='\0')
166 ++e;
167 if (!buffer_is_blank(tb))
168 buffer_append_string_len(tb, CONST_STR_LEN(","));
169 for (j = 0; j < sizeof(schemes)/sizeof(char *); ++j) {
170 if (buffer_eq_icase_ssn(b, schemes[j], strlen(schemes[j]))) {
171 break;
172 }
173 }
174 if (j == sizeof(schemes)/sizeof(char *))
175 buffer_append_string_len(tb, CONST_STR_LEN("ldap://"));
176 buffer_append_string_len(tb, b, (size_t)(e - b));
177 }
178 buffer_copy_buffer(host, tb);
179 }
180 }
181
182 __attribute_cold__
183 static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err);
184
SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults)185 SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
186 static const config_plugin_keys_t cpk[] = {
187 { CONST_STR_LEN("auth.backend.ldap.hostname"),
188 T_CONFIG_STRING,
189 T_CONFIG_SCOPE_CONNECTION }
190 ,{ CONST_STR_LEN("auth.backend.ldap.base-dn"),
191 T_CONFIG_STRING,
192 T_CONFIG_SCOPE_CONNECTION }
193 ,{ CONST_STR_LEN("auth.backend.ldap.filter"),
194 T_CONFIG_STRING,
195 T_CONFIG_SCOPE_CONNECTION }
196 ,{ CONST_STR_LEN("auth.backend.ldap.ca-file"),
197 T_CONFIG_STRING,
198 T_CONFIG_SCOPE_CONNECTION }
199 ,{ CONST_STR_LEN("auth.backend.ldap.starttls"),
200 T_CONFIG_BOOL,
201 T_CONFIG_SCOPE_CONNECTION }
202 ,{ CONST_STR_LEN("auth.backend.ldap.bind-dn"),
203 T_CONFIG_STRING,
204 T_CONFIG_SCOPE_CONNECTION }
205 ,{ CONST_STR_LEN("auth.backend.ldap.bind-pw"),
206 T_CONFIG_STRING,
207 T_CONFIG_SCOPE_CONNECTION }
208 ,{ CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"),
209 T_CONFIG_BOOL,
210 T_CONFIG_SCOPE_CONNECTION }
211 ,{ CONST_STR_LEN("auth.backend.ldap.groupmember"),
212 T_CONFIG_STRING,
213 T_CONFIG_SCOPE_CONNECTION }
214 ,{ CONST_STR_LEN("auth.backend.ldap.timeout"),
215 T_CONFIG_STRING,
216 T_CONFIG_SCOPE_CONNECTION }
217 ,{ NULL, 0,
218 T_CONFIG_UNSET,
219 T_CONFIG_SCOPE_UNSET }
220 };
221
222 plugin_data * const p = p_d;
223 if (!config_plugin_values_init(srv, p, cpk, "mod_authn_ldap"))
224 return HANDLER_ERROR;
225
226 /* process and validate config directives
227 * (init i to 0 if global context; to 1 to skip empty global context) */
228 for (int i = !p->cvlist[0].v.u2[1]; i < p->nconfig; ++i) {
229 config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
230 plugin_config_ldap *ldc = NULL;
231 char *binddn = NULL, *bindpw = NULL, *cafile = NULL;
232 int starttls = 0;
233 long timeout = 2000000; /* set 2 sec default timeout (not infinite) */
234 for (; -1 != cpv->k_id; ++cpv) {
235 switch (cpv->k_id) {
236 case 0: /* auth.backend.ldap.hostname */
237 if (!buffer_is_blank(cpv->v.b)) {
238 buffer *b;
239 *(const buffer **)&b = cpv->v.b;
240 mod_authn_add_scheme(srv, b);
241 ldc = calloc(1, sizeof(plugin_config_ldap));
242 force_assert(ldc);
243 ldc->errh = srv->errh;
244 ldc->auth_ldap_hostname = b->ptr;
245 cpv->v.v = ldc;
246 }
247 else {
248 cpv->v.v = NULL;
249 }
250 cpv->vtype = T_CONFIG_LOCAL;
251 break;
252 case 1: /* auth.backend.ldap.base-dn */
253 cpv->vtype = T_CONFIG_LOCAL;
254 cpv->v.v = !buffer_is_blank(cpv->v.b)
255 ? cpv->v.b->ptr
256 : NULL;
257 break;
258 case 2: /* auth.backend.ldap.filter */
259 if (!buffer_is_blank(cpv->v.b)) {
260 buffer *b;
261 *(const buffer **)&b = cpv->v.b;
262 if (*b->ptr != ',') {
263 /*(translate $ to ? for consistency w/ other modules)*/
264 char *d = b->ptr;
265 for (; NULL != (d = strchr(d, '$')); ++d) *d = '?';
266 if (NULL == strchr(b->ptr, '?')) {
267 log_error(srv->errh, __FILE__, __LINE__,
268 "ldap: %s is missing a replace-operator '?'",
269 cpk[cpv->k_id].k);
270 return HANDLER_ERROR;
271 }
272 }
273 cpv->v.v = b;
274 }
275 else {
276 cpv->v.v = NULL;
277 }
278 cpv->vtype = T_CONFIG_LOCAL;
279 break;
280 case 3: /* auth.backend.ldap.ca-file */
281 cafile = !buffer_is_blank(cpv->v.b)
282 ? cpv->v.b->ptr
283 : NULL;
284 cpv->vtype = T_CONFIG_LOCAL;
285 cpv->v.v = cafile;
286 break;
287 case 4: /* auth.backend.ldap.starttls */
288 starttls = (int)cpv->v.u;
289 break;
290 case 5: /* auth.backend.ldap.bind-dn */
291 binddn = !buffer_is_blank(cpv->v.b)
292 ? cpv->v.b->ptr
293 : NULL;
294 cpv->vtype = T_CONFIG_LOCAL;
295 cpv->v.v = binddn;
296 break;
297 case 6: /* auth.backend.ldap.bind-pw */
298 cpv->vtype = T_CONFIG_LOCAL;
299 cpv->v.v = bindpw = cpv->v.b->ptr;
300 break;
301 case 7: /* auth.backend.ldap.allow-empty-pw */
302 break;
303 case 8: /* auth.backend.ldap.groupmember */
304 if (buffer_is_blank(cpv->v.b))
305 cpv->v.b = NULL;
306 break;
307 case 9: /* auth.backend.ldap.timeout */
308 timeout = strtol(cpv->v.b->ptr, NULL, 10);
309 break;
310 default:/* should not happen */
311 break;
312 }
313 }
314
315 if (ldc) {
316 ldc->auth_ldap_binddn = binddn;
317 ldc->auth_ldap_bindpw = bindpw;
318 ldc->auth_ldap_cafile = cafile;
319 ldc->auth_ldap_starttls = starttls;
320 ldc->auth_ldap_timeout.tv_sec = timeout / 1000000;
321 ldc->auth_ldap_timeout.tv_usec = timeout % 1000000;
322 }
323 }
324
325 static const struct { const char *ptr; uint32_t used; uint32_t size; }
326 memberUid = { "memberUid", sizeof("memberUid"), 0 };
327 *(const buffer **)&p->defaults.auth_ldap_groupmember =
328 (const buffer *)&memberUid;
329
330 /* initialize p->defaults from global config context */
331 if (p->nconfig > 0 && p->cvlist->v.u2[1]) {
332 const config_plugin_value_t *cpv = p->cvlist + p->cvlist->v.u2[0];
333 if (-1 != cpv->k_id)
334 mod_authn_ldap_merge_config(&p->defaults, cpv);
335 }
336
337 if (p->defaults.auth_ldap_starttls && p->defaults.auth_ldap_cafile) {
338 const int ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
339 p->defaults.auth_ldap_cafile);
340 if (LDAP_OPT_SUCCESS != ret) {
341 mod_authn_ldap_err(srv->errh, __FILE__, __LINE__,
342 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
343 return HANDLER_ERROR;
344 }
345 default_cafile = p->defaults.auth_ldap_cafile;
346 }
347
348 return HANDLER_GO_ON;
349 }
350
351 __attribute_cold__
mod_authn_ldap_err(log_error_st * errh,const char * file,unsigned long line,const char * fn,int err)352 static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err)
353 {
354 log_error(errh, file, line, "ldap: %s: %s", fn, ldap_err2string(err));
355 }
356
357 __attribute_cold__
mod_authn_ldap_opt_err(log_error_st * errh,const char * file,unsigned long line,const char * fn,LDAP * ld)358 static void mod_authn_ldap_opt_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, LDAP *ld)
359 {
360 int err;
361 ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
362 mod_authn_ldap_err(errh, file, line, fn, err);
363 }
364
mod_authn_append_ldap_dn_escape(buffer * const filter,const buffer * const raw)365 static void mod_authn_append_ldap_dn_escape(buffer * const filter, const buffer * const raw) {
366 /* [RFC4514] 2.4 Converting an AttributeValue from ASN.1 to a String
367 *
368 * https://www.ldap.com/ldap-dns-and-rdns
369 * http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
370 */
371 const char * const b = raw->ptr;
372 const size_t rlen = buffer_clen(raw);
373 if (0 == rlen) return;
374
375 if (b[0] == ' ') { /* || b[0] == '#' handled below for MS Active Directory*/
376 /* escape leading ' ' */
377 buffer_append_string_len(filter, CONST_STR_LEN("\\"));
378 }
379
380 for (size_t i = 0; i < rlen; ++i) {
381 size_t len = i;
382 int bs = 0;
383 do {
384 /* encode all UTF-8 chars with high bit set
385 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
386 if (((unsigned char *)b)[len] > 0x7f)
387 break;
388 switch (b[len]) {
389 default:
390 continue;
391 case '"': case '+': case ',': case ';': case '\\':
392 case '<': case '>':
393 case '=': case '#': /* (for MS Active Directory) */
394 bs = 1;
395 break;
396 case '\0':
397 break;
398 }
399 break;
400 } while (++len < rlen);
401 len -= i;
402
403 if (len) {
404 buffer_append_string_len(filter, b+i, len);
405 if ((i += len) == rlen) break;
406 }
407
408 if (bs) {
409 buffer_append_string_len(filter, CONST_STR_LEN("\\"));
410 buffer_append_string_len(filter, b+i, 1);
411 }
412 else {
413 /* escape NUL ('\0') (and all UTF-8 chars with high bit set) */
414 char *f;
415 f = buffer_extend(filter, 3);
416 f[0] = '\\';
417 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
418 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
419 }
420 }
421
422 if (rlen > 1 && b[rlen-1] == ' ') {
423 /* escape trailing ' ' */
424 filter->ptr[buffer_clen(filter)-1] = '\\';
425 buffer_append_string_len(filter, CONST_STR_LEN(" "));
426 }
427 }
428
mod_authn_append_ldap_filter_escape(buffer * const filter,const buffer * const raw)429 static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) {
430 /* [RFC4515] 3. String Search Filter Definition
431 *
432 * [...]
433 *
434 * The <valueencoding> rule ensures that the entire filter string is a
435 * valid UTF-8 string and provides that the octets that represent the
436 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
437 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
438 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
439 * representing the value of the encoded octet.
440 *
441 * [...]
442 *
443 * As indicated by the <valueencoding> rule, implementations MUST escape
444 * all octets greater than 0x7F that are not part of a valid UTF-8
445 * encoding sequence when they generate a string representation of a
446 * search filter. Implementations SHOULD accept as input strings that
447 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
448 * not clearly define the term "string representation" (and in
449 * particular did not mention that the string representation of an LDAP
450 * search filter is a string of UTF-8-encoded Unicode characters).
451 *
452 *
453 * https://www.ldap.com/ldap-filters
454 * Although not required, you may escape any other characters that you want
455 * in the assertion value (or substring component) of a filter. This may be
456 * accomplished by prefixing the hexadecimal representation of each byte of
457 * the UTF-8 encoding of the character to escape with a backslash character.
458 */
459 const char * const b = raw->ptr;
460 const size_t rlen = buffer_clen(raw);
461 for (size_t i = 0; i < rlen; ++i) {
462 size_t len = i;
463 char *f;
464 do {
465 /* encode all UTF-8 chars with high bit set
466 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
467 if (((unsigned char *)b)[len] > 0x7f)
468 break;
469 switch (b[len]) {
470 default:
471 continue;
472 case '\0': case '(': case ')': case '*': case '\\':
473 break;
474 }
475 break;
476 } while (++len < rlen);
477 len -= i;
478
479 if (len) {
480 buffer_append_string_len(filter, b+i, len);
481 if ((i += len) == rlen) break;
482 }
483
484 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
485 f = buffer_extend(filter, 3);
486 f[0] = '\\';
487 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
488 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
489 }
490 }
491
mod_authn_ldap_host_init(log_error_st * errh,plugin_config_ldap * s)492 static LDAP * mod_authn_ldap_host_init(log_error_st *errh, plugin_config_ldap *s) {
493 LDAP *ld;
494 int ret;
495
496 if (NULL == s->auth_ldap_hostname) return NULL;
497
498 if (LDAP_SUCCESS != ldap_initialize(&ld, s->auth_ldap_hostname)) {
499 log_perror(errh, __FILE__, __LINE__, "ldap: ldap_initialize()");
500 return NULL;
501 }
502
503 ret = LDAP_VERSION3;
504 ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
505 if (LDAP_OPT_SUCCESS != ret) {
506 mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_set_option()", ret);
507 ldap_destroy(ld);
508 return NULL;
509 }
510
511 /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */
512 ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
513
514 #ifdef LDAP_OPT_NETWORK_TIMEOUT /* OpenLDAP-specific */
515 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &s->auth_ldap_timeout);
516 #endif
517
518 #ifdef LDAP_OPT_TIMEOUT /* OpenLDAP-specific; OpenLDAP 2.4+ */
519 ldap_set_option(ld, LDAP_OPT_TIMEOUT, &s->auth_ldap_timeout);
520 #endif
521
522 if (s->auth_ldap_starttls) {
523 /* if no CA file is given, it is ok, as we will use encryption
524 * if the server requires a CAfile it will tell us */
525 if (s->auth_ldap_cafile
526 && (!default_cafile
527 || 0 != strcmp(s->auth_ldap_cafile, default_cafile))) {
528 ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
529 s->auth_ldap_cafile);
530 if (LDAP_OPT_SUCCESS != ret) {
531 mod_authn_ldap_err(errh, __FILE__, __LINE__,
532 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
533 ret);
534 ldap_destroy(ld);
535 return NULL;
536 }
537 }
538
539 ret = ldap_start_tls_s(ld, NULL, NULL);
540 if (LDAP_OPT_SUCCESS != ret) {
541 mod_authn_ldap_err(errh,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
542 ldap_destroy(ld);
543 return NULL;
544 }
545 }
546
547 return ld;
548 }
549
mod_authn_ldap_bind(log_error_st * errh,LDAP * ld,const char * dn,const char * pw)550 static int mod_authn_ldap_bind(log_error_st *errh, LDAP *ld, const char *dn, const char *pw) {
551 struct berval creds;
552 int ret;
553
554 if (NULL != pw) {
555 *((const char **)&creds.bv_val) = pw; /*(cast away const)*/
556 creds.bv_len = strlen(pw);
557 } else {
558 creds.bv_val = NULL;
559 creds.bv_len = 0;
560 }
561
562 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
563
564 ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
565 if (ret != LDAP_SUCCESS) {
566 mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
567 }
568
569 return ret;
570 }
571
mod_authn_ldap_rebind_proc(LDAP * ld,LDAP_CONST char * url,ber_tag_t ldap_request,ber_int_t msgid,void * params)572 static int mod_authn_ldap_rebind_proc (LDAP *ld, LDAP_CONST char *url, ber_tag_t ldap_request, ber_int_t msgid, void *params) {
573 const plugin_config_ldap *s = (const plugin_config_ldap *)params;
574 UNUSED(url);
575 UNUSED(ldap_request);
576 UNUSED(msgid);
577 return s->auth_ldap_binddn
578 ? mod_authn_ldap_bind(s->errh, ld,
579 s->auth_ldap_binddn,
580 s->auth_ldap_bindpw)
581 : mod_authn_ldap_bind(s->errh, ld, NULL, NULL);
582 }
583
mod_authn_ldap_search(log_error_st * errh,plugin_config_ldap * s,const char * base,const char * filter)584 static LDAPMessage * mod_authn_ldap_search(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
585 LDAPMessage *lm = NULL;
586 char *attrs[] = { LDAP_NO_ATTRS, NULL };
587 int ret;
588
589 /*
590 * 1. connect anonymously (if not already connected)
591 * (ldap connection is kept open unless connection-level error occurs)
592 * 2. issue search using filter
593 */
594
595 if (s->ldap != NULL) {
596 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
597 attrs, 0, NULL, NULL, NULL, 0, &lm);
598 if (LDAP_SUCCESS == ret) {
599 return lm;
600 } else if (LDAP_SERVER_DOWN != ret) {
601 /* try again (or initial request);
602 * ldap lib sometimes fails for the first call but reconnects */
603 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
604 attrs, 0, NULL, NULL, NULL, 0, &lm);
605 if (LDAP_SUCCESS == ret) {
606 return lm;
607 }
608 }
609
610 ldap_unbind_ext_s(s->ldap, NULL, NULL);
611 }
612
613 s->ldap = mod_authn_ldap_host_init(errh, s);
614 if (NULL == s->ldap) {
615 return NULL;
616 }
617
618 ldap_set_rebind_proc(s->ldap, mod_authn_ldap_rebind_proc, s);
619 ret = mod_authn_ldap_rebind_proc(s->ldap, NULL, 0, 0, s);
620 if (LDAP_SUCCESS != ret) {
621 ldap_destroy(s->ldap);
622 s->ldap = NULL;
623 return NULL;
624 }
625
626 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
627 attrs, 0, NULL, NULL, NULL, 0, &lm);
628 if (LDAP_SUCCESS != ret) {
629 log_error(errh, __FILE__, __LINE__,
630 "ldap: %s; filter: %s", ldap_err2string(ret), filter);
631 ldap_unbind_ext_s(s->ldap, NULL, NULL);
632 s->ldap = NULL;
633 return NULL;
634 }
635
636 return lm;
637 }
638
mod_authn_ldap_get_dn(log_error_st * errh,plugin_config_ldap * s,const char * base,const char * filter)639 static char * mod_authn_ldap_get_dn(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
640 LDAP *ld;
641 LDAPMessage *lm, *first;
642 char *dn;
643 int count;
644
645 lm = mod_authn_ldap_search(errh, s, base, filter);
646 if (NULL == lm) {
647 return NULL;
648 }
649
650 ld = s->ldap; /*(must be after mod_authn_ldap_search(); might reconnect)*/
651
652 count = ldap_count_entries(ld, lm);
653 if (0 == count) { /*(no entries found)*/
654 ldap_msgfree(lm);
655 return NULL;
656 } else if (count > 1) {
657 log_error(errh, __FILE__, __LINE__,
658 "ldap: more than one record returned. "
659 "you might have to refine the filter: %s", filter);
660 }
661
662 if (NULL == (first = ldap_first_entry(ld, lm))) {
663 mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_first_entry()",ld);
664 ldap_msgfree(lm);
665 return NULL;
666 }
667
668 if (NULL == (dn = ldap_get_dn(ld, first))) {
669 mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_get_dn()",ld);
670 ldap_msgfree(lm);
671 return NULL;
672 }
673
674 ldap_msgfree(lm);
675 return dn;
676 }
677
mod_authn_ldap_memberOf(log_error_st * errh,plugin_config * s,const http_auth_require_t * require,const buffer * username,const char * userdn)678 static handler_t mod_authn_ldap_memberOf(log_error_st *errh, plugin_config *s, const http_auth_require_t *require, const buffer *username, const char *userdn) {
679 if (!s->auth_ldap_groupmember) return HANDLER_ERROR;
680 const array *groups = &require->group;
681 buffer *filter = buffer_init();
682 handler_t rc = HANDLER_ERROR;
683
684 buffer_copy_string_len(filter, CONST_STR_LEN("("));
685 buffer_append_string_buffer(filter, s->auth_ldap_groupmember);
686 buffer_append_string_len(filter, CONST_STR_LEN("="));
687 if (buffer_is_equal_string(s->auth_ldap_groupmember,
688 CONST_STR_LEN("member"))) {
689 buffer_append_string(filter, userdn);
690 } else { /*(assume "memberUid"; consider validating in SETDEFAULTS_FUNC)*/
691 mod_authn_append_ldap_filter_escape(filter, username);
692 }
693 buffer_append_string_len(filter, CONST_STR_LEN(")"));
694
695 plugin_config_ldap * const ldc = s->ldc;
696 for (size_t i = 0; i < groups->used; ++i) {
697 const char *base = groups->data[i]->key.ptr;
698 LDAPMessage *lm = mod_authn_ldap_search(errh, ldc, base, filter->ptr);
699 if (NULL != lm) {
700 int count = ldap_count_entries(ldc->ldap, lm);
701 ldap_msgfree(lm);
702 if (count > 0) {
703 rc = HANDLER_GO_ON;
704 break;
705 }
706 }
707 }
708
709 buffer_free(filter);
710 return rc;
711 }
712
mod_authn_ldap_basic(request_st * const r,void * p_d,const http_auth_require_t * const require,const buffer * const username,const char * const pw)713 static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t * const require, const buffer * const username, const char * const pw) {
714 plugin_data *p = (plugin_data *)p_d;
715 LDAP *ld;
716 char *dn;
717
718 mod_authn_ldap_patch_config(r, p);
719
720 if (pw[0] == '\0' && !p->conf.auth_ldap_allow_empty_pw)
721 return HANDLER_ERROR;
722
723 const buffer * const template = p->conf.auth_ldap_filter;
724 if (NULL == template)
725 return HANDLER_ERROR;
726
727 log_error_st * const errh = r->conf.errh;
728
729 /* build filter to get DN for uid = username */
730 buffer * const ldap_filter = &p->ldap_filter;
731 buffer_clear(ldap_filter);
732 if (*template->ptr == ',') {
733 /* special-case filter template beginning with ',' to be explicit DN */
734 buffer_append_string_len(ldap_filter, CONST_STR_LEN("uid="));
735 mod_authn_append_ldap_dn_escape(ldap_filter, username);
736 buffer_append_string_buffer(ldap_filter, template);
737 dn = ldap_filter->ptr;
738 }
739 else {
740 for (const char *b = template->ptr, *d; *b; b = d+1) {
741 if (NULL != (d = strchr(b, '?'))) {
742 buffer_append_string_len(ldap_filter, b, (size_t)(d - b));
743 mod_authn_append_ldap_filter_escape(ldap_filter, username);
744 }
745 else {
746 d = template->ptr + buffer_clen(template);
747 buffer_append_string_len(ldap_filter, b, (size_t)(d - b));
748 break;
749 }
750 }
751
752 /* ldap_search for DN (synchronous; blocking) */
753 dn = mod_authn_ldap_get_dn(errh, p->conf.ldc,
754 p->conf.auth_ldap_basedn, ldap_filter->ptr);
755 if (NULL == dn) return HANDLER_ERROR;
756 }
757
758 /*(Check ldc here rather than further up to preserve historical behavior
759 * where p->conf.ldc above (was p->anon_conf above) is set of directives in
760 * same context as auth_ldap_hostname. Preference: admin intentions are
761 * clearer if directives are always together in a set in same context)*/
762
763 plugin_config_ldap * const ldc_base = p->conf.ldc;
764 plugin_config_ldap ldc_custom;
765
766 if ( p->conf.ldc->auth_ldap_starttls != p->conf.auth_ldap_starttls
767 || p->conf.ldc->auth_ldap_binddn != p->conf.auth_ldap_binddn
768 || p->conf.ldc->auth_ldap_bindpw != p->conf.auth_ldap_bindpw
769 || p->conf.ldc->auth_ldap_cafile != p->conf.auth_ldap_cafile ) {
770 ldc_custom.ldap = NULL;
771 ldc_custom.errh = errh;
772 ldc_custom.auth_ldap_hostname = ldc_base->auth_ldap_hostname;
773 ldc_custom.auth_ldap_starttls = p->conf.auth_ldap_starttls;
774 ldc_custom.auth_ldap_binddn = p->conf.auth_ldap_binddn;
775 ldc_custom.auth_ldap_bindpw = p->conf.auth_ldap_bindpw;
776 ldc_custom.auth_ldap_cafile = p->conf.auth_ldap_cafile;
777 ldc_custom.auth_ldap_timeout= ldc_base->auth_ldap_timeout;
778 p->conf.ldc = &ldc_custom;
779 }
780
781 handler_t rc = HANDLER_ERROR;
782 do {
783 /* auth against LDAP server (synchronous; blocking) */
784
785 ld = mod_authn_ldap_host_init(errh, p->conf.ldc);
786 if (NULL == ld)
787 break;
788
789 /* Disable referral tracking; target user should be in provided scope */
790 int ret = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
791 if (LDAP_OPT_SUCCESS != ret) {
792 mod_authn_ldap_err(errh,__FILE__,__LINE__,"ldap_set_option()",ret);
793 break;
794 }
795
796 if (LDAP_SUCCESS != mod_authn_ldap_bind(errh, ld, dn, pw))
797 break;
798
799 ldap_unbind_ext_s(ld, NULL, NULL); /* disconnect */
800 ld = NULL;
801
802 if (http_auth_match_rules(require, username->ptr, NULL, NULL)) {
803 rc = HANDLER_GO_ON; /* access granted */
804 }
805 else if (require->group.used) {
806 /*(must not re-use ldap_filter, since it might be used for dn)*/
807 rc = mod_authn_ldap_memberOf(errh,&p->conf,require,username,dn);
808 }
809 } while (0);
810
811 if (NULL != ld) ldap_destroy(ld);
812 if (ldc_base != p->conf.ldc && NULL != p->conf.ldc->ldap)
813 ldap_unbind_ext_s(p->conf.ldc->ldap, NULL, NULL);
814 if (dn != ldap_filter->ptr) ldap_memfree(dn);
815 return rc;
816 }
817
818 int mod_authn_ldap_plugin_init(plugin *p);
mod_authn_ldap_plugin_init(plugin * p)819 int mod_authn_ldap_plugin_init(plugin *p) {
820 p->version = LIGHTTPD_VERSION_ID;
821 p->name = "authn_ldap";
822 p->init = mod_authn_ldap_init;
823 p->set_defaults = mod_authn_ldap_set_defaults;
824 p->cleanup = mod_authn_ldap_free;
825
826 return 0;
827 }
828