1 /* $OpenBSD: ldapd.h,v 1.37 2024/05/21 05:00:48 jsg Exp $ */ 2 3 /* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef _LDAPD_H 20 #define _LDAPD_H 21 22 #include <sys/queue.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 #include <sys/types.h> 26 #include <sys/uio.h> 27 28 #include <event.h> 29 #include <imsg.h> 30 #include <limits.h> 31 #include <pwd.h> 32 #include <stdarg.h> 33 #include <tls.h> 34 35 #include "aldap.h" 36 #include "schema.h" 37 #include "btree.h" 38 #include "imsgev.h" 39 #include "evbuffer_tls.h" 40 41 #define CONFFILE "/etc/ldapd.conf" 42 #define LDAPD_USER "_ldapd" 43 #define LDAPD_SOCKET "/var/run/ldapd.sock" 44 #define DATADIR "/var/db/ldap" 45 #define LDAP_PORT 389 46 #define LDAPS_PORT 636 47 #define LDAPD_SESSION_TIMEOUT 30 48 #define FD_RESERVE 8 /* 5 overhead, 2 for db, 1 accept */ 49 50 #define F_STARTTLS 0x01 51 #define F_LDAPS 0x02 52 #define F_SSL (F_LDAPS|F_STARTTLS) 53 54 #define F_SECURE 0x04 55 #define F_LEGACY 0x08 56 57 #define F_SCERT 0x01 58 59 struct conn; 60 61 struct aci { 62 SIMPLEQ_ENTRY(aci) entry; 63 #define ACI_DENY 0 64 #define ACI_ALLOW 1 65 int type; 66 #define ACI_READ 0x01 67 #define ACI_WRITE 0x02 68 #define ACI_COMPARE 0x04 69 #define ACI_CREATE 0x08 70 #define ACI_BIND 0x10 71 #define ACI_ALL 0x1F 72 int rights; 73 enum scope scope; /* base, onelevel or subtree */ 74 char *attribute; 75 char *target; 76 char *subject; 77 char *filter; 78 }; 79 SIMPLEQ_HEAD(acl, aci); 80 81 /* An LDAP request. 82 */ 83 struct request { 84 TAILQ_ENTRY(request) next; 85 unsigned int type; 86 long long msgid; 87 struct ber_element *root; 88 struct ber_element *op; 89 struct conn *conn; 90 int replayed; /* true if replayed request */ 91 }; 92 TAILQ_HEAD(request_queue, request); 93 94 enum index_type { 95 INDEX_NONE, 96 INDEX_EQUAL = 1, 97 INDEX_APPROX = 1, 98 INDEX_PRESENCE = 1, 99 INDEX_SUBSTR 100 }; 101 102 struct attr_index { 103 TAILQ_ENTRY(attr_index) next; 104 char *attr; 105 enum index_type type; 106 }; 107 TAILQ_HEAD(attr_index_list, attr_index); 108 109 struct referral { 110 SLIST_ENTRY(referral) next; 111 char *url; 112 }; 113 SLIST_HEAD(referrals, referral); 114 115 struct namespace { 116 TAILQ_ENTRY(namespace) next; 117 char *suffix; 118 struct referrals referrals; 119 char *rootdn; 120 char *rootpw; 121 char *data_path; 122 char *indx_path; 123 struct btree *data_db; 124 struct btree *indx_db; 125 struct btree_txn *data_txn; 126 struct btree_txn *indx_txn; 127 int sync; /* 1 = fsync after commit */ 128 struct attr_index_list indices; 129 unsigned int cache_size; 130 unsigned int index_cache_size; 131 struct request_queue request_queue; 132 struct event ev_queue; 133 unsigned int queued_requests; 134 struct acl acl; 135 int relax; /* relax schema validation */ 136 int compression_level; /* 0-9, 0 = disabled */ 137 }; 138 139 TAILQ_HEAD(namespace_list, namespace); 140 141 struct index 142 { 143 TAILQ_ENTRY(index) next; 144 char *prefix; 145 }; 146 147 /* A query plan. 148 */ 149 struct plan 150 { 151 TAILQ_ENTRY(plan) next; 152 TAILQ_HEAD(, plan) args; 153 TAILQ_HEAD(, index) indices; 154 struct attr_type *at; 155 char *adesc; 156 union { 157 char *value; 158 struct ber_element *substring; 159 } assert; 160 int op; 161 int indexed; 162 int undefined; 163 }; 164 165 /* For OR filters using multiple indices, matches are not unique. Remember 166 * all DNs sent to the client to make them unique. 167 */ 168 struct uniqdn { 169 RB_ENTRY(uniqdn) link; 170 struct btval key; 171 }; 172 RB_HEAD(dn_tree, uniqdn); 173 RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 174 175 /* An LDAP search request. 176 */ 177 struct search { 178 TAILQ_ENTRY(search) next; 179 int init; /* 1 if cursor initiated */ 180 struct conn *conn; 181 struct request *req; 182 struct namespace *ns; 183 struct btree_txn *data_txn; 184 struct btree_txn *indx_txn; 185 struct cursor *cursor; 186 unsigned int nscanned, nmatched, ndups; 187 time_t started_at; 188 long long szlim, tmlim; /* size and time limits */ 189 int typesonly; /* not implemented */ 190 long long scope; 191 long long deref; /* not implemented */ 192 char *basedn; 193 struct ber_element *filter, *attrlist; 194 struct plan *plan; 195 struct index *cindx; /* current index */ 196 struct dn_tree uniqdns; 197 }; 198 199 struct listener { 200 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 201 struct sockaddr_storage ss; 202 int port; 203 int fd; 204 struct event ev; 205 struct event evt; 206 char ssl_cert_name[PATH_MAX]; 207 struct ssl *ssl; 208 struct tls *tls; 209 TAILQ_ENTRY(listener) entry; 210 }; 211 TAILQ_HEAD(listenerlist, listener); 212 213 /* An LDAP client connection. 214 */ 215 struct conn { 216 TAILQ_ENTRY(conn) next; 217 int fd; 218 struct bufferevent *bev; 219 struct ber ber; 220 int disconnect; 221 struct request *bind_req; /* ongoing bind request */ 222 char *binddn; 223 char *pending_binddn; 224 TAILQ_HEAD(, search) searches; 225 struct listener *listener; /* where it connected from */ 226 227 /* SSL support */ 228 struct tls *tls; 229 struct buffertls buftls; 230 unsigned int s_flags; 231 }; 232 TAILQ_HEAD(conn_list, conn); 233 234 struct ssl { 235 SPLAY_ENTRY(ssl) ssl_nodes; 236 char ssl_name[PATH_MAX]; 237 uint8_t *ssl_cert; 238 size_t ssl_cert_len; 239 uint8_t *ssl_key; 240 size_t ssl_key_len; 241 uint8_t flags; 242 struct tls_config *config; 243 }; 244 245 struct ldapd_config 246 { 247 struct namespace_list namespaces; 248 struct listenerlist listeners; 249 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 250 struct referrals referrals; 251 struct acl acl; 252 struct schema *schema; 253 char *rootdn; 254 char *rootpw; 255 }; 256 257 struct ldapd_stats 258 { 259 time_t started_at; /* time of daemon startup */ 260 unsigned long long requests; /* total number of requests */ 261 unsigned long long req_search; /* search requests */ 262 unsigned long long req_bind; /* bind requests */ 263 unsigned long long req_mod; /* add/mod/del requests */ 264 unsigned long long timeouts; /* search timeouts */ 265 unsigned long long unindexed; /* unindexed searches */ 266 unsigned int conns; /* active connections */ 267 unsigned int searches; /* active searches */ 268 }; 269 270 struct auth_req 271 { 272 int fd; 273 long long msgid; 274 char name[128]; 275 char password[128]; 276 }; 277 278 struct auth_res 279 { 280 int ok; 281 int fd; 282 long long msgid; 283 }; 284 285 struct open_req { 286 char path[PATH_MAX]; 287 unsigned int rdonly; 288 }; 289 290 enum imsg_type { 291 IMSG_NONE, 292 IMSG_CTL_OK, 293 IMSG_CTL_FAIL, 294 IMSG_CTL_END, 295 IMSG_CTL_STATS, 296 IMSG_CTL_NSSTATS, 297 IMSG_CTL_LOG_VERBOSE, 298 299 IMSG_LDAPD_AUTH, 300 IMSG_LDAPD_AUTH_RESULT, 301 IMSG_LDAPD_OPEN, 302 IMSG_LDAPD_OPEN_RESULT, 303 }; 304 305 struct ns_stat { 306 char suffix[256]; 307 struct btree_stat data_stat; 308 struct btree_stat indx_stat; 309 }; 310 311 struct ctl_conn { 312 TAILQ_ENTRY(ctl_conn) entry; 313 u_int8_t flags; 314 #define CTL_CONN_NOTIFY 0x01 315 #define CTL_CONN_LOCKED 0x02 /* restricted mode */ 316 struct imsgev iev; 317 }; 318 TAILQ_HEAD(ctl_connlist, ctl_conn); 319 320 struct control_sock { 321 const char *cs_name; 322 struct event cs_ev; 323 struct event cs_evt; 324 int cs_fd; 325 int cs_restricted; 326 }; 327 328 enum ldapd_process { 329 PROC_MAIN_AUTH, 330 PROC_LDAP_SERVER 331 }; 332 333 #define PROC_PARENT_SOCK_FILENO 3 334 335 /* ldapd.c */ 336 extern struct ldapd_stats stats; 337 extern struct ldapd_config *conf; 338 339 /* conn.c */ 340 extern struct conn_list conn_list; 341 struct conn *conn_by_fd(int fd); 342 void conn_read(struct bufferevent *bev, void *data); 343 void conn_write(struct bufferevent *bev, void *data); 344 void conn_err(struct bufferevent *bev, short w, void *data); 345 void conn_accept(int fd, short why, void *data); 346 void conn_close(struct conn *conn); 347 int conn_close_any(void); 348 void conn_disconnect(struct conn *conn); 349 void request_dispatch(struct request *req); 350 void request_free(struct request *req); 351 352 /* ldape.c */ 353 void ldape(int, int, char *); 354 int ldap_abandon(struct request *req); 355 int ldap_unbind(struct request *req); 356 int ldap_compare(struct request *req); 357 int ldap_extended(struct request *req); 358 359 void send_ldap_result(struct conn *conn, int msgid, 360 unsigned int type, long long result_code); 361 int ldap_respond(struct request *req, int code); 362 int ldap_refer(struct request *req, const char *basedn, 363 struct search *search, struct referrals *refs); 364 365 /* namespace.c 366 */ 367 struct namespace *namespace_new(const char *suffix); 368 int namespace_open(struct namespace *ns); 369 int namespace_reopen_data(struct namespace *ns); 370 int namespace_reopen_indx(struct namespace *ns); 371 int namespace_set_data_fd(struct namespace *ns, int fd); 372 int namespace_set_indx_fd(struct namespace *ns, int fd); 373 void namespace_close(struct namespace *ns); 374 void namespace_remove(struct namespace *ns); 375 struct ber_element *namespace_get(struct namespace *ns, char *dn); 376 int namespace_exists(struct namespace *ns, char *dn); 377 int namespace_add(struct namespace *ns, char *dn, 378 struct ber_element *root); 379 int namespace_update(struct namespace *ns, char *dn, 380 struct ber_element *root); 381 int namespace_del(struct namespace *ns, char *dn); 382 struct namespace *namespace_lookup_base(const char *basedn, 383 int include_referrals); 384 struct namespace *namespace_for_base(const char *basedn); 385 int namespace_has_referrals(struct namespace *ns); 386 struct referrals *namespace_referrals(const char *basedn); 387 int namespace_has_index(struct namespace *ns, 388 const char *attr, enum index_type type); 389 int namespace_begin_txn(struct namespace *ns, 390 struct btree_txn **data_txn, 391 struct btree_txn **indx_txn, int rdonly); 392 int namespace_begin(struct namespace *ns); 393 int namespace_commit(struct namespace *ns); 394 void namespace_abort(struct namespace *ns); 395 int namespace_queue_request(struct namespace *ns, 396 struct request *req); 397 void namespace_queue_schedule(struct namespace *ns, 398 unsigned int usec); 399 void namespace_cancel_conn(struct conn *conn); 400 int namespace_conn_queue_count(struct conn *conn); 401 402 int namespace_ber2db(struct namespace *ns, 403 struct ber_element *root, struct btval *val); 404 struct ber_element *namespace_db2ber(struct namespace *ns, 405 struct btval *val); 406 407 /* attributes.c */ 408 struct ber_element *ldap_get_attribute(struct ber_element *root, 409 const char *attr); 410 struct ber_element *ldap_find_attribute(struct ber_element *entry, 411 struct attr_type *at); 412 struct ber_element *ldap_find_value(struct ber_element *elm, 413 const char *value); 414 struct ber_element *ldap_add_attribute(struct ber_element *root, 415 const char *attr, struct ber_element *vals); 416 int ldap_set_values(struct ber_element *elm, 417 struct ber_element *vals); 418 int ldap_merge_values(struct ber_element *elm, 419 struct ber_element *vals); 420 int ldap_del_attribute(struct ber_element *entry, 421 const char *attrdesc); 422 int ldap_del_values(struct ber_element *elm, 423 struct ber_element *vals); 424 char *ldap_strftime(time_t tm); 425 char *ldap_now(void); 426 427 /* control.c */ 428 void control_init(struct control_sock *); 429 void control_listen(struct control_sock *); 430 void control_accept(int, short, void *); 431 void control_cleanup(struct control_sock *); 432 int control_close_any(struct control_sock *); 433 434 /* filter.c */ 435 int ldap_matches_filter(struct ber_element *root, 436 struct plan *plan); 437 438 /* search.c */ 439 int ldap_search(struct request *req); 440 void conn_search(struct search *search); 441 void search_close(struct search *search); 442 int is_child_of(struct btval *key, const char *base); 443 444 /* modify.c */ 445 int ldap_add(struct request *req); 446 int ldap_delete(struct request *req); 447 int ldap_modify(struct request *req); 448 449 /* auth.c */ 450 extern struct imsgev *iev_ldapd; 451 int ldap_bind(struct request *req); 452 void ldap_bind_continue(struct conn *conn, int ok); 453 int authorized(struct conn *conn, struct namespace *ns, 454 int rights, char *dn, char *attr, int scope); 455 456 /* parse.y */ 457 int parse_config(char *filename); 458 int cmdline_symset(char *s); 459 int ssl_cmp(struct ssl *, struct ssl *); 460 SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 461 462 463 /* logmsg.c */ 464 void ldap_loginit(const char *, int, int); 465 const char *print_host(struct sockaddr_storage *ss, char *buf, 466 size_t len); 467 void hexdump(void *data, size_t len, const char *fmt, ...); 468 void ldap_debug_elements(struct ber_element *root, 469 int context, const char *fmt, ...); 470 /* util.c */ 471 int bsnprintf(char *str, size_t size, 472 const char *format, ...); 473 int has_suffix(struct btval *key, const char *suffix); 474 int has_prefix(struct btval *key, const char *prefix); 475 void normalize_dn(char *dn); 476 int ber2db(struct ber_element *root, struct btval *val, 477 int compression_level); 478 struct ber_element *db2ber(struct btval *val, int compression_level); 479 int accept_reserve(int sockfd, struct sockaddr *addr, 480 socklen_t *addrlen, int reserve); 481 482 /* index.c */ 483 int index_entry(struct namespace *ns, struct btval *dn, 484 struct ber_element *elm); 485 int unindex_entry(struct namespace *ns, struct btval *dn, 486 struct ber_element *elm); 487 int index_to_dn(struct namespace *ns, struct btval *indx, 488 struct btval *dn); 489 490 /* validate.c */ 491 int validate_entry(const char *dn, struct ber_element *entry, int relax); 492 493 #endif /* _LDAPD_H */ 494 495