1 /* $OpenBSD: ldapd.h,v 1.36 2021/12/15 04:00:15 deraadt Exp $ */ 2 3 /* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef _LDAPD_H 20 #define _LDAPD_H 21 22 #include <sys/queue.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 #include <sys/types.h> 26 #include <sys/uio.h> 27 28 #include <event.h> 29 #include <imsg.h> 30 #include <limits.h> 31 #include <pwd.h> 32 #include <stdarg.h> 33 #include <tls.h> 34 35 #include "aldap.h" 36 #include "schema.h" 37 #include "btree.h" 38 #include "imsgev.h" 39 #include "evbuffer_tls.h" 40 41 #define CONFFILE "/etc/ldapd.conf" 42 #define LDAPD_USER "_ldapd" 43 #define LDAPD_SOCKET "/var/run/ldapd.sock" 44 #define DATADIR "/var/db/ldap" 45 #define LDAP_PORT 389 46 #define LDAPS_PORT 636 47 #define LDAPD_SESSION_TIMEOUT 30 48 #define FD_RESERVE 8 /* 5 overhead, 2 for db, 1 accept */ 49 50 #define F_STARTTLS 0x01 51 #define F_LDAPS 0x02 52 #define F_SSL (F_LDAPS|F_STARTTLS) 53 54 #define F_SECURE 0x04 55 #define F_LEGACY 0x08 56 57 #define F_SCERT 0x01 58 59 struct conn; 60 61 struct aci { 62 SIMPLEQ_ENTRY(aci) entry; 63 #define ACI_DENY 0 64 #define ACI_ALLOW 1 65 int type; 66 #define ACI_READ 0x01 67 #define ACI_WRITE 0x02 68 #define ACI_COMPARE 0x04 69 #define ACI_CREATE 0x08 70 #define ACI_BIND 0x10 71 #define ACI_ALL 0x1F 72 int rights; 73 enum scope scope; /* base, onelevel or subtree */ 74 char *attribute; 75 char *target; 76 char *subject; 77 char *filter; 78 }; 79 SIMPLEQ_HEAD(acl, aci); 80 81 /* An LDAP request. 82 */ 83 struct request { 84 TAILQ_ENTRY(request) next; 85 unsigned int type; 86 long long msgid; 87 struct ber_element *root; 88 struct ber_element *op; 89 struct conn *conn; 90 int replayed; /* true if replayed request */ 91 }; 92 TAILQ_HEAD(request_queue, request); 93 94 enum index_type { 95 INDEX_NONE, 96 INDEX_EQUAL = 1, 97 INDEX_APPROX = 1, 98 INDEX_PRESENCE = 1, 99 INDEX_SUBSTR 100 }; 101 102 struct attr_index { 103 TAILQ_ENTRY(attr_index) next; 104 char *attr; 105 enum index_type type; 106 }; 107 TAILQ_HEAD(attr_index_list, attr_index); 108 109 struct referral { 110 SLIST_ENTRY(referral) next; 111 char *url; 112 }; 113 SLIST_HEAD(referrals, referral); 114 115 struct namespace { 116 TAILQ_ENTRY(namespace) next; 117 char *suffix; 118 struct referrals referrals; 119 char *rootdn; 120 char *rootpw; 121 char *data_path; 122 char *indx_path; 123 struct btree *data_db; 124 struct btree *indx_db; 125 struct btree_txn *data_txn; 126 struct btree_txn *indx_txn; 127 int sync; /* 1 = fsync after commit */ 128 struct attr_index_list indices; 129 unsigned int cache_size; 130 unsigned int index_cache_size; 131 struct request_queue request_queue; 132 struct event ev_queue; 133 unsigned int queued_requests; 134 struct acl acl; 135 int relax; /* relax schema validation */ 136 int compression_level; /* 0-9, 0 = disabled */ 137 }; 138 139 TAILQ_HEAD(namespace_list, namespace); 140 141 struct index 142 { 143 TAILQ_ENTRY(index) next; 144 char *prefix; 145 }; 146 147 /* A query plan. 148 */ 149 struct plan 150 { 151 TAILQ_ENTRY(plan) next; 152 TAILQ_HEAD(, plan) args; 153 TAILQ_HEAD(, index) indices; 154 struct attr_type *at; 155 char *adesc; 156 union { 157 char *value; 158 struct ber_element *substring; 159 } assert; 160 int op; 161 int indexed; 162 int undefined; 163 }; 164 165 /* For OR filters using multiple indices, matches are not unique. Remember 166 * all DNs sent to the client to make them unique. 167 */ 168 struct uniqdn { 169 RB_ENTRY(uniqdn) link; 170 struct btval key; 171 }; 172 RB_HEAD(dn_tree, uniqdn); 173 RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 174 175 /* An LDAP search request. 176 */ 177 struct search { 178 TAILQ_ENTRY(search) next; 179 int init; /* 1 if cursor initiated */ 180 struct conn *conn; 181 struct request *req; 182 struct namespace *ns; 183 struct btree_txn *data_txn; 184 struct btree_txn *indx_txn; 185 struct cursor *cursor; 186 unsigned int nscanned, nmatched, ndups; 187 time_t started_at; 188 long long szlim, tmlim; /* size and time limits */ 189 int typesonly; /* not implemented */ 190 long long scope; 191 long long deref; /* not implemented */ 192 char *basedn; 193 struct ber_element *filter, *attrlist; 194 struct plan *plan; 195 struct index *cindx; /* current index */ 196 struct dn_tree uniqdns; 197 }; 198 199 struct listener { 200 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 201 struct sockaddr_storage ss; 202 int port; 203 int fd; 204 struct event ev; 205 struct event evt; 206 char ssl_cert_name[PATH_MAX]; 207 struct ssl *ssl; 208 struct tls *tls; 209 TAILQ_ENTRY(listener) entry; 210 }; 211 TAILQ_HEAD(listenerlist, listener); 212 213 /* An LDAP client connection. 214 */ 215 struct conn { 216 TAILQ_ENTRY(conn) next; 217 int fd; 218 struct bufferevent *bev; 219 struct ber ber; 220 int disconnect; 221 struct request *bind_req; /* ongoing bind request */ 222 char *binddn; 223 char *pending_binddn; 224 TAILQ_HEAD(, search) searches; 225 struct listener *listener; /* where it connected from */ 226 227 /* SSL support */ 228 struct tls *tls; 229 struct buffertls buftls; 230 unsigned int s_flags; 231 }; 232 TAILQ_HEAD(conn_list, conn); 233 234 struct ssl { 235 SPLAY_ENTRY(ssl) ssl_nodes; 236 char ssl_name[PATH_MAX]; 237 uint8_t *ssl_cert; 238 size_t ssl_cert_len; 239 uint8_t *ssl_key; 240 size_t ssl_key_len; 241 uint8_t flags; 242 struct tls_config *config; 243 }; 244 245 struct ldapd_config 246 { 247 struct namespace_list namespaces; 248 struct listenerlist listeners; 249 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 250 struct referrals referrals; 251 struct acl acl; 252 struct schema *schema; 253 char *rootdn; 254 char *rootpw; 255 }; 256 257 struct ldapd_stats 258 { 259 time_t started_at; /* time of daemon startup */ 260 unsigned long long requests; /* total number of requests */ 261 unsigned long long req_search; /* search requests */ 262 unsigned long long req_bind; /* bind requests */ 263 unsigned long long req_mod; /* add/mod/del requests */ 264 unsigned long long timeouts; /* search timeouts */ 265 unsigned long long unindexed; /* unindexed searches */ 266 unsigned int conns; /* active connections */ 267 unsigned int searches; /* active searches */ 268 }; 269 270 struct auth_req 271 { 272 int fd; 273 long long msgid; 274 char name[128]; 275 char password[128]; 276 }; 277 278 struct auth_res 279 { 280 int ok; 281 int fd; 282 long long msgid; 283 }; 284 285 struct open_req { 286 char path[PATH_MAX]; 287 unsigned int rdonly; 288 }; 289 290 enum imsg_type { 291 IMSG_NONE, 292 IMSG_CTL_OK, 293 IMSG_CTL_FAIL, 294 IMSG_CTL_END, 295 IMSG_CTL_STATS, 296 IMSG_CTL_NSSTATS, 297 IMSG_CTL_LOG_VERBOSE, 298 299 IMSG_LDAPD_AUTH, 300 IMSG_LDAPD_AUTH_RESULT, 301 IMSG_LDAPD_OPEN, 302 IMSG_LDAPD_OPEN_RESULT, 303 }; 304 305 struct ns_stat { 306 char suffix[256]; 307 struct btree_stat data_stat; 308 struct btree_stat indx_stat; 309 }; 310 311 struct ctl_conn { 312 TAILQ_ENTRY(ctl_conn) entry; 313 u_int8_t flags; 314 #define CTL_CONN_NOTIFY 0x01 315 #define CTL_CONN_LOCKED 0x02 /* restricted mode */ 316 struct imsgev iev; 317 }; 318 TAILQ_HEAD(ctl_connlist, ctl_conn); 319 320 struct control_sock { 321 const char *cs_name; 322 struct event cs_ev; 323 struct event cs_evt; 324 int cs_fd; 325 int cs_restricted; 326 }; 327 328 enum ldapd_process { 329 PROC_MAIN_AUTH, 330 PROC_LDAP_SERVER 331 }; 332 333 #define PROC_PARENT_SOCK_FILENO 3 334 335 /* ldapd.c */ 336 extern struct ldapd_stats stats; 337 extern struct ldapd_config *conf; 338 339 void imsg_event_add(struct imsgev *iev); 340 int imsg_compose_event(struct imsgev *iev, u_int16_t type, 341 u_int32_t peerid, pid_t pid, int fd, void *data, 342 u_int16_t datalen); 343 int imsg_event_handle(struct imsgev *iev, short event); 344 345 /* conn.c */ 346 extern struct conn_list conn_list; 347 struct conn *conn_by_fd(int fd); 348 void conn_read(struct bufferevent *bev, void *data); 349 void conn_write(struct bufferevent *bev, void *data); 350 void conn_err(struct bufferevent *bev, short w, void *data); 351 void conn_accept(int fd, short why, void *data); 352 void conn_close(struct conn *conn); 353 int conn_close_any(void); 354 void conn_disconnect(struct conn *conn); 355 void request_dispatch(struct request *req); 356 void request_free(struct request *req); 357 358 /* ldape.c */ 359 void ldape(int, int, char *); 360 int ldap_abandon(struct request *req); 361 int ldap_unbind(struct request *req); 362 int ldap_compare(struct request *req); 363 int ldap_extended(struct request *req); 364 365 void send_ldap_result(struct conn *conn, int msgid, 366 unsigned int type, long long result_code); 367 int ldap_respond(struct request *req, int code); 368 int ldap_refer(struct request *req, const char *basedn, 369 struct search *search, struct referrals *refs); 370 371 /* namespace.c 372 */ 373 struct namespace *namespace_new(const char *suffix); 374 int namespace_open(struct namespace *ns); 375 int namespace_reopen_data(struct namespace *ns); 376 int namespace_reopen_indx(struct namespace *ns); 377 int namespace_set_data_fd(struct namespace *ns, int fd); 378 int namespace_set_indx_fd(struct namespace *ns, int fd); 379 struct namespace *namespace_init(const char *suffix, const char *dir); 380 void namespace_close(struct namespace *ns); 381 void namespace_remove(struct namespace *ns); 382 struct ber_element *namespace_get(struct namespace *ns, char *dn); 383 int namespace_exists(struct namespace *ns, char *dn); 384 int namespace_add(struct namespace *ns, char *dn, 385 struct ber_element *root); 386 int namespace_update(struct namespace *ns, char *dn, 387 struct ber_element *root); 388 int namespace_del(struct namespace *ns, char *dn); 389 struct namespace *namespace_lookup_base(const char *basedn, 390 int include_referrals); 391 struct namespace *namespace_for_base(const char *basedn); 392 int namespace_has_referrals(struct namespace *ns); 393 struct referrals *namespace_referrals(const char *basedn); 394 int namespace_has_index(struct namespace *ns, 395 const char *attr, enum index_type type); 396 int namespace_begin_txn(struct namespace *ns, 397 struct btree_txn **data_txn, 398 struct btree_txn **indx_txn, int rdonly); 399 int namespace_begin(struct namespace *ns); 400 int namespace_commit(struct namespace *ns); 401 void namespace_abort(struct namespace *ns); 402 int namespace_queue_request(struct namespace *ns, 403 struct request *req); 404 void namespace_queue_schedule(struct namespace *ns, 405 unsigned int usec); 406 void namespace_cancel_conn(struct conn *conn); 407 int namespace_conn_queue_count(struct conn *conn); 408 409 int namespace_ber2db(struct namespace *ns, 410 struct ber_element *root, struct btval *val); 411 struct ber_element *namespace_db2ber(struct namespace *ns, 412 struct btval *val); 413 414 /* attributes.c */ 415 struct ber_element *ldap_get_attribute(struct ber_element *root, 416 const char *attr); 417 struct ber_element *ldap_find_attribute(struct ber_element *entry, 418 struct attr_type *at); 419 struct ber_element *ldap_find_value(struct ber_element *elm, 420 const char *value); 421 struct ber_element *ldap_add_attribute(struct ber_element *root, 422 const char *attr, struct ber_element *vals); 423 int ldap_set_values(struct ber_element *elm, 424 struct ber_element *vals); 425 int ldap_merge_values(struct ber_element *elm, 426 struct ber_element *vals); 427 int ldap_del_attribute(struct ber_element *entry, 428 const char *attrdesc); 429 int ldap_del_values(struct ber_element *elm, 430 struct ber_element *vals); 431 char *ldap_strftime(time_t tm); 432 char *ldap_now(void); 433 434 /* control.c */ 435 void control_init(struct control_sock *); 436 void control_listen(struct control_sock *); 437 void control_accept(int, short, void *); 438 void control_dispatch_imsg(int, short, void *); 439 void control_cleanup(struct control_sock *); 440 int control_close_any(struct control_sock *); 441 442 /* filter.c */ 443 int ldap_matches_filter(struct ber_element *root, 444 struct plan *plan); 445 446 /* search.c */ 447 int ldap_search(struct request *req); 448 void conn_search(struct search *search); 449 void search_close(struct search *search); 450 int is_child_of(struct btval *key, const char *base); 451 452 /* modify.c */ 453 int ldap_add(struct request *req); 454 int ldap_delete(struct request *req); 455 int ldap_modify(struct request *req); 456 457 /* auth.c */ 458 extern struct imsgev *iev_ldapd; 459 int ldap_bind(struct request *req); 460 void ldap_bind_continue(struct conn *conn, int ok); 461 int authorized(struct conn *conn, struct namespace *ns, 462 int rights, char *dn, char *attr, int scope); 463 464 /* parse.y */ 465 int parse_config(char *filename); 466 int cmdline_symset(char *s); 467 int ssl_cmp(struct ssl *, struct ssl *); 468 SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 469 470 471 /* logmsg.c */ 472 void ldap_loginit(const char *, int, int); 473 const char *print_host(struct sockaddr_storage *ss, char *buf, 474 size_t len); 475 void hexdump(void *data, size_t len, const char *fmt, ...); 476 void ldap_debug_elements(struct ber_element *root, 477 int context, const char *fmt, ...); 478 /* util.c */ 479 int bsnprintf(char *str, size_t size, 480 const char *format, ...); 481 int has_suffix(struct btval *key, const char *suffix); 482 int has_prefix(struct btval *key, const char *prefix); 483 void normalize_dn(char *dn); 484 int ber2db(struct ber_element *root, struct btval *val, 485 int compression_level); 486 struct ber_element *db2ber(struct btval *val, int compression_level); 487 int accept_reserve(int sockfd, struct sockaddr *addr, 488 socklen_t *addrlen, int reserve); 489 490 /* index.c */ 491 int index_entry(struct namespace *ns, struct btval *dn, 492 struct ber_element *elm); 493 int unindex_entry(struct namespace *ns, struct btval *dn, 494 struct ber_element *elm); 495 int index_to_dn(struct namespace *ns, struct btval *indx, 496 struct btval *dn); 497 498 /* validate.c */ 499 int validate_entry(const char *dn, struct ber_element *entry, int relax); 500 501 #endif /* _LDAPD_H */ 502 503