1 /* lastbind.c - Record timestamp of the last successful bind to entries */
2 /* $OpenLDAP$ */
3 /*
4 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15 /* ACKNOWLEDGEMENTS:
16 * This work is loosely derived from the ppolicy overlay.
17 */
18
19 #include "portable.h"
20
21 /*
22 * This file implements an overlay that stores the timestamp of the
23 * last successful bind operation in a directory entry.
24 *
25 * Optimization: to avoid performing a write on each bind,
26 * a precision for this timestamp may be configured, causing it to
27 * only be updated if it is older than a given number of seconds.
28 */
29
30 #ifdef SLAPD_OVER_LASTBIND
31
32 #include <ldap.h>
33 #include "lutil.h"
34 #include "slap.h"
35 #include <ac/errno.h>
36 #include <ac/time.h>
37 #include <ac/string.h>
38 #include <ac/ctype.h>
39 #include "slap-config.h"
40
41 /* Per-instance configuration information */
42 typedef struct lastbind_info {
43 /* precision to update timestamp in authTimestamp attribute */
44 int timestamp_precision;
45 int forward_updates; /* use frontend for authTimestamp updates */
46 } lastbind_info;
47
48 /* Operational attributes */
49 static AttributeDescription *ad_authTimestamp;
50
51 /* This is the definition used by ISODE, as supplied to us in
52 * ITS#6238 Followup #9
53 */
54 static struct schema_info {
55 char *def;
56 AttributeDescription **ad;
57 } lastBind_OpSchema[] = {
58 { "( 1.3.6.1.4.1.453.16.2.188 "
59 "NAME 'authTimestamp' "
60 "DESC 'last successful authentication using any method/mech' "
61 "EQUALITY generalizedTimeMatch "
62 "ORDERING generalizedTimeOrderingMatch "
63 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
64 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
65 &ad_authTimestamp},
66 { NULL, NULL }
67 };
68
69 /* configuration attribute and objectclass */
70 static ConfigTable lastbindcfg[] = {
71 { "lastbind-precision", "seconds", 2, 2, 0,
72 ARG_INT|ARG_OFFSET,
73 (void *)offsetof(lastbind_info, timestamp_precision),
74 "( OLcfgCtAt:5.1 "
75 "NAME 'olcLastBindPrecision' "
76 "DESC 'Precision of authTimestamp attribute' "
77 "EQUALITY integerMatch "
78 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
79 { "lastbind_forward_updates", "on|off", 1, 2, 0,
80 ARG_ON_OFF|ARG_OFFSET,
81 (void *)offsetof(lastbind_info,forward_updates),
82 "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' "
83 "DESC 'Allow authTimestamp updates to be forwarded via updateref' "
84 "EQUALITY booleanMatch "
85 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
86 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
87 };
88
89 static ConfigOCs lastbindocs[] = {
90 { "( OLcfgCtOc:5.1 "
91 "NAME 'olcLastBindConfig' "
92 "DESC 'Last Bind configuration' "
93 "SUP olcOverlayConfig "
94 "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
95 Cft_Overlay, lastbindcfg, NULL, NULL },
96 { NULL, 0, NULL }
97 };
98
99 static time_t
parse_time(char * atm)100 parse_time( char *atm )
101 {
102 struct lutil_tm tm;
103 struct lutil_timet tt;
104 time_t ret = (time_t)-1;
105
106 if ( lutil_parsetime( atm, &tm ) == 0) {
107 lutil_tm2time( &tm, &tt );
108 ret = tt.tt_sec;
109 }
110 return ret;
111 }
112
113 static int
lastbind_bind_response(Operation * op,SlapReply * rs)114 lastbind_bind_response( Operation *op, SlapReply *rs )
115 {
116 Modifications *mod = NULL;
117 BackendInfo *bi = op->o_bd->bd_info;
118 Entry *e;
119 int rc;
120
121 /* we're only interested if the bind was successful */
122 if ( rs->sr_err != LDAP_SUCCESS )
123 return SLAP_CB_CONTINUE;
124
125 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
126 op->o_bd->bd_info = bi;
127
128 if ( rc != LDAP_SUCCESS ) {
129 return SLAP_CB_CONTINUE;
130 }
131
132 {
133 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
134
135 time_t now, bindtime = (time_t)-1;
136 Attribute *a;
137 Modifications *m;
138 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
139 struct berval timestamp;
140
141 /* get the current time */
142 now = slap_get_time();
143
144 /* get authTimestamp attribute, if it exists */
145 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
146 bindtime = parse_time( a->a_nvals[0].bv_val );
147
148 if (bindtime != (time_t)-1) {
149 /* if the recorded bind time is within our precision, we're done
150 * it doesn't need to be updated (save a write for nothing) */
151 if ((now - bindtime) < lbi->timestamp_precision) {
152 goto done;
153 }
154 }
155 }
156
157 /* update the authTimestamp in the user's entry with the current time */
158 timestamp.bv_val = nowstr;
159 timestamp.bv_len = sizeof(nowstr);
160 slap_timestamp( &now, ×tamp );
161
162 m = ch_calloc( sizeof(Modifications), 1 );
163 m->sml_op = LDAP_MOD_REPLACE;
164 m->sml_flags = 0;
165 m->sml_type = ad_authTimestamp->ad_cname;
166 m->sml_desc = ad_authTimestamp;
167 m->sml_numvals = 1;
168 m->sml_values = ch_calloc( sizeof(struct berval), 2 );
169 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
170
171 ber_dupbv( &m->sml_values[0], ×tamp );
172 ber_dupbv( &m->sml_nvalues[0], ×tamp );
173 m->sml_next = mod;
174 mod = m;
175 }
176
177 done:
178 be_entry_release_r( op, e );
179
180 /* perform the update, if necessary */
181 if ( mod ) {
182 Operation op2 = *op;
183 SlapReply r2 = { REP_RESULT };
184 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
185 LDAPControl c, *ca[2];
186 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
187
188 /* This is a DSA-specific opattr, it never gets replicated. */
189 op2.o_tag = LDAP_REQ_MODIFY;
190 op2.o_callback = &cb;
191 op2.orm_modlist = mod;
192 op2.orm_no_opattrs = 0;
193 op2.o_dn = op->o_bd->be_rootdn;
194 op2.o_ndn = op->o_bd->be_rootndn;
195
196 /*
197 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
198 *
199 * If this server is a shadow and forward_updates is true,
200 * use the frontend to perform this modify. That will trigger
201 * the update referral, which can then be forwarded by the
202 * chain overlay. Obviously the updateref and chain overlay
203 * must be configured appropriately for this to be useful.
204 */
205 if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) {
206 op2.o_bd = frontendDB;
207
208 /* Must use Relax control since these are no-user-mod */
209 op2.o_relax = SLAP_CONTROL_CRITICAL;
210 op2.o_ctrls = ca;
211 ca[0] = &c;
212 ca[1] = NULL;
213 BER_BVZERO( &c.ldctl_value );
214 c.ldctl_iscritical = 1;
215 c.ldctl_oid = LDAP_CONTROL_RELAX;
216 } else {
217 /* If not forwarding, don't update opattrs and don't replicate */
218 if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
219 op2.orm_no_opattrs = 1;
220 op2.o_dont_replicate = 1;
221 }
222 /* TODO: not sure what this does in slapo-ppolicy */
223 /*
224 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
225 */
226 }
227
228 rc = op2.o_bd->be_modify( &op2, &r2 );
229 slap_mods_free( mod, 1 );
230 }
231
232 op->o_bd->bd_info = bi;
233 return SLAP_CB_CONTINUE;
234 }
235
236 static int
lastbind_bind(Operation * op,SlapReply * rs)237 lastbind_bind( Operation *op, SlapReply *rs )
238 {
239 slap_callback *cb;
240 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
241
242 /* setup a callback to intercept result of this bind operation
243 * and pass along the lastbind_info struct */
244 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
245 cb->sc_response = lastbind_bind_response;
246 cb->sc_next = op->o_callback->sc_next;
247 cb->sc_private = on->on_bi.bi_private;
248 op->o_callback->sc_next = cb;
249
250 return SLAP_CB_CONTINUE;
251 }
252
253 static int
lastbind_db_init(BackendDB * be,ConfigReply * cr)254 lastbind_db_init(
255 BackendDB *be,
256 ConfigReply *cr
257 )
258 {
259 slap_overinst *on = (slap_overinst *) be->bd_info;
260
261 /* initialize private structure to store configuration */
262 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
263
264 return 0;
265 }
266
267 static int
lastbind_db_close(BackendDB * be,ConfigReply * cr)268 lastbind_db_close(
269 BackendDB *be,
270 ConfigReply *cr
271 )
272 {
273 slap_overinst *on = (slap_overinst *) be->bd_info;
274 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
275
276 /* free private structure to store configuration */
277 free( lbi );
278
279 return 0;
280 }
281
282 static slap_overinst lastbind;
283
lastbind_initialize()284 int lastbind_initialize()
285 {
286 int i, code;
287
288 /* register operational schema for this overlay (authTimestamp attribute) */
289 for (i=0; lastBind_OpSchema[i].def; i++) {
290 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
291 if ( code ) {
292 Debug( LDAP_DEBUG_ANY,
293 "lastbind_initialize: register_at failed\n" );
294 return code;
295 }
296 }
297
298 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
299
300 lastbind.on_bi.bi_type = "lastbind";
301 lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
302 lastbind.on_bi.bi_db_init = lastbind_db_init;
303 lastbind.on_bi.bi_db_close = lastbind_db_close;
304 lastbind.on_bi.bi_op_bind = lastbind_bind;
305
306 /* register configuration directives */
307 lastbind.on_bi.bi_cf_ocs = lastbindocs;
308 code = config_register_schema( lastbindcfg, lastbindocs );
309 if ( code ) return code;
310
311 return overlay_register( &lastbind );
312 }
313
314 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
init_module(int argc,char * argv[])315 int init_module(int argc, char *argv[]) {
316 return lastbind_initialize();
317 }
318 #endif
319
320 #endif /* defined(SLAPD_OVER_LASTBIND) */
321