Commit f35a5539 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

add (basic) support for {RADIUS} scheme; userPassword attributes prefixed with...

add (basic) support for {RADIUS} scheme; userPassword attributes prefixed with {RADIUS} are interpreted as RADIUS userids and authentication occurs contacting the configured RADIUS servers with that userid and the provided password (experimental; please report)
parent 4d46b8b7
......@@ -6,7 +6,7 @@ Public License.
This directory contains native slapd plugins for password mechanisms that
are not actively supported by the project. Currently this includes the
Kerberos and Netscape MTA-MD5 password mechanisms.
Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms.
To use the Kerberos plugin, add:
......@@ -20,6 +20,15 @@ moduleload pw-netscape.so
to your slapd configuration file.
To use the RADIUS plugin, add:
moduleload pw-radius.so
to your slapd configuration file; optionally, the path to a configuration
file can be appended in the form
moduleload pw-radius.so config="/etc/radius.conf"
No Makefile is provided. Use a command line similar to:
gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c
......@@ -32,3 +41,10 @@ The corresponding command for the Netscape plugin would be:
gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c
The corresponding command for the RADIUS plugin would be:
gcc -shared -I../../../include -Wall -g -o pw-radius.so radius.c -lradius
(Actually, you might want to statically link the RADIUS client library
libradius.a into the module).
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#include <stdio.h>
#include <lber.h>
#include <lber_pvt.h> /* BER_BVC definition */
#include "lutil.h"
#include <ac/string.h>
#include <ac/unistd.h>
#include <radlib.h>
static LUTIL_PASSWD_CHK_FUNC chk_radius;
static const struct berval scheme = BER_BVC("{RADIUS}");
static char *config_filename;
static int
chk_radius(
const struct berval *sc,
const struct berval *passwd,
const struct berval *cred,
const char **text )
{
unsigned int i;
int rc = LUTIL_PASSWD_ERR;
struct rad_handle *h = NULL;
for ( i = 0; i < cred->bv_len; i++ ) {
if ( cred->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in cred */
}
}
if ( cred->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* cred must behave like a string */
}
for ( i = 0; i < passwd->bv_len; i++ ) {
if ( passwd->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in password */
}
}
if ( passwd->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
}
h = rad_auth_open();
if ( h == NULL ) {
return LUTIL_PASSWD_ERR;
}
if ( config_filename ) {
if ( rad_config( h, config_filename ) != 0 ) {
goto done;
}
}
if ( rad_create_request( h, RAD_ACCESS_REQUEST ) ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_NAME, passwd->bv_val ) != 0 ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_PASSWORD, cred->bv_val ) != 0 ) {
goto done;
}
if ( rad_send_request( h ) == RAD_ACCESS_ACCEPT ) {
rc = LUTIL_PASSWD_OK;
}
done:;
rad_close( h );
return rc;
}
int
init_module( int argc, char *argv[] )
{
int i;
for ( i = 0; i < argc; i++ ) {
if ( strncasecmp( argv[ i ], "config=", STRLENOF( "config=" ) ) == 0 ) {
/* FIXME: what if multiple loads of same module?
* does it make sense (e.g. override an existing one)? */
if ( config_filename == NULL ) {
config_filename = ber_strdup( &argv[ i ][ STRLENOF( "config=" ) ] );
}
} else {
fprintf( stderr, "init_module(radius): unknown arg#%d=\"%s\".\n",
i, argv[ i ] );
return 1;
}
}
return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL );
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment