Skip to content
GitLab
Commit 6b9e7b4c authored by Robert Dubner's avatar Robert Dubner
Browse files

Switched to rootdn for searches; started generalized search routine

parent dcf8bf9a
Hide whitespace changes
Inline Side-by-side
contrib/slapd-modules/radiusov/radiusov.c
View file @ 6b9e7b4c
......@@ -68,7 +68,6 @@ static search_descriptor search_descriptors[] =
LDAP_SCOPE_SUBTREE,
"(uid=%s)",
"dc=renbud,dc=com",
"uid=proxy,ou=people,dc=renbud,dc=com",
"",
},
{
......@@ -78,7 +77,6 @@ static search_descriptor search_descriptors[] =
LDAP_SCOPE_SUBTREE,
"(uid=%s)",
"dc=renbud,dc=com",
"uid=proxy,ou=people,dc=renbud,dc=com",
"testing123",
},
{
......@@ -135,9 +133,9 @@ radiusov_get_dn_from_uid( RADIUS_INFO *radius_info,
op=&opbuf.ob_op;
op->o_bd = radius_info->radius_db;
op->o_dn.bv_val = sd->search_proxy;
op->o_dn.bv_len = strlen(op->o_dn.bv_val);
op->o_ndn = op->o_dn;
// In order to successfully search regardless of ACL controls, we need
// to operate as the rootdn:
op->o_ndn = op->o_bd->be_rootndn;
char fbuf[1024];
struct berval filter = {sizeof(fbuf),fbuf};
......@@ -248,6 +246,169 @@ radiusov_verify_username_password( void *ctx,
return rc;
}
typedef struct _ATTRIBUTE_VALUE
{
char *attribute_name;
char *returned_value;
size_t len; // size of the returned_value. The last char will be '\0'
// even if that involves truncation.
} ATTRIBUTE_VALUE;
static int
radiusov_generalized_callback(Operation *op, SlapReply *rs)
{
Debug(LDAP_DEBUG_TRACE, "=> %s(): rs->sr_type = %d\n", __func__, rs->sr_type);
ATTRIBUTE_VALUE *desired_attribute = op->o_callback->sc_private;
if( rs->sr_type == REP_SEARCH )
{
desired_attribute->returned_value[0] = '\0';
if( strcmp(desired_attribute->attribute_name, "dn") == 0 )
{
// Special case of the distinguished name:
size_t to_be_copied = rs->sr_un.sru_search.r_entry->e_name.bv_len;
if( desired_attribute->len-1 < to_be_copied )
{
to_be_copied = desired_attribute->len-1;
}
memcpy( desired_attribute->returned_value,
rs->sr_un.sru_search.r_entry->e_name.bv_val,
to_be_copied );
desired_attribute->returned_value[to_be_copied] = '\0';
}
else
{
// Otherwise, we look through the mysterious SlapReply attributes
// for ours:
Attribute *a;
int i;
for( a = rs->sr_un.sru_search.r_entry->e_attrs; a != NULL; a = a->a_next )
{
if( desired_attribute->returned_value[0] )
{
// We found our result last time through, so we can leave
break;
}
Debug(LDAP_DEBUG_TRACE, " There is an e_attrs[] value\n");
for( i = 0; a->a_nvals[i].bv_val != NULL; i++ )
{
BerValue *ber_name;
BerValue *ber_attr;
ber_name = &a->a_desc[i].ad_cname;
ber_attr = &a->a_nvals[i];
Debug(LDAP_DEBUG_TRACE, " There is an a_nval[%d] ber_name %s\n", i, ber_name->bv_val);
if( ber_name->bv_len == strlen(desired_attribute->attribute_name)
&& memcmp(ber_name->bv_val, desired_attribute->attribute_name, ber_name->bv_len) == 0 )
{
Debug(LDAP_DEBUG_TRACE, " Found you, my pretty!\n");
size_t to_be_copied = ber_attr->bv_len;
if( desired_attribute->len-1 < to_be_copied )
{
to_be_copied = desired_attribute->len-1;
}
memcpy( desired_attribute->returned_value,
ber_attr->bv_val,
to_be_copied );
desired_attribute->returned_value[to_be_copied] = '\0';
break;
}
}
}
}
}
return SLAP_CB_CONTINUE;
}
int
radiusov_generalized_database_fetch(BackendDB *be,
search_descriptor *sd,
char *pszUsername,
char *attribute_name,
char *returned_value,
size_t len)
{
Debug(LDAP_DEBUG_TRACE,"=> %s(): UID is %s\n",__func__, pszUsername);
int rc = 0; // Zero means okay
Connection conn = {0};
OperationBuffer opbuf;
Operation *op;
SlapReply rs = {REP_RESULT};
void *thrctx = ldap_pvt_thread_pool_context();
connection_fake_init( &conn, &opbuf, thrctx );
op=&opbuf.ob_op;
op->o_bd = be;
BerElement *ber = ber_alloc_t(LBER_USE_DER);
ber_int_t deref = 0;
ber_int_t sizelimit = 0;
ber_int_t timelimit = 0;
ber_int_t attrsonly = 1;
ber_printf( ber,
"{siiiib",
sd->search_base,
sd->search_scope,
deref,
sizelimit,
timelimit,
attrsonly );
char fbuf[1024];
sprintf(fbuf,"(uid=%s)",pszUsername);
ldap_pvt_put_filter( ber, fbuf );
// This routine is designed for handling just one attribute.
// I am including that single attribute, although there doesn't seem to
// be any point.
ber_printf(ber, "{s}", "userPassword");
ber_printf(ber,"}");
ber->ber_len = ber->ber_ptr - ber->ber_buf;
ber->ber_end = ber->ber_ptr;
ber->ber_ptr = ber->ber_buf;
op->o_ber=ber;
op->o_tag = LDAP_REQ_SEARCH;
// In order to successfully search regardless of ACL controls, we need
// to operate as the rootdn:
op->o_ndn = op->o_bd->be_rootndn;
slap_callback cb = {0};
ATTRIBUTE_VALUE attr_value;
attr_value.attribute_name = attribute_name;
attr_value.returned_value = returned_value;
attr_value.len = 32;
cb.sc_private = &attr_value;
cb.sc_response = radiusov_generalized_callback;
op->o_callback = &cb;
rc = do_search(op, &rs);
if( rc == 0 )
{
if( rs.sr_un.sru_search.r_nentries == 0 )
{
// We didn't find anything
rc = 1;
}
}
ber_free(ber, 1);
ber = NULL;
ldap_pvt_thread_pool_context_reset( thrctx );
return rc;
}
static int
radiusov_password_callback(Operation *op, SlapReply *rs)
{
......@@ -327,7 +488,6 @@ radiusov_get_password_from_uid( RADIUS_INFO *radius_info,
BerElement *ber = ber_alloc_t(LBER_USE_DER);
ber_int_t scope = 2;
ber_int_t deref = 0;
ber_int_t sizelimit = 0;
ber_int_t timelimit = 0;
......@@ -336,7 +496,7 @@ radiusov_get_password_from_uid( RADIUS_INFO *radius_info,
ber_printf( ber,
"{siiiib",
sd->search_base,
scope,
sd->search_scope,
deref,
sizelimit,
timelimit,
......@@ -359,10 +519,9 @@ radiusov_get_password_from_uid( RADIUS_INFO *radius_info,
op->o_ber=ber;
op->o_tag = LDAP_REQ_SEARCH;
/* Pick up the dn of the proxy user allowed to do searches: */
op->o_dn.bv_len = strlen(sd->search_proxy);
op->o_dn.bv_val = sd->search_proxy;
op->o_ndn = op->o_dn;
// In order to successfully search regardless of ACL controls, we need
// to operate as the rootdn:
op->o_ndn = op->o_bd->be_rootndn;
slap_callback cb = {0};
......@@ -880,20 +1039,47 @@ radiusov_db_open(BackendDB *be, ConfigReply *cr)
if ( slapMode & SLAP_SERVER_MODE )
{
char achUri[] = "ldap:///configuration=server1,cn=radservercfg,dc=renbud,dc=com?ipa,port?one?";
//char achUri[] = "ldap:///dc=renbud,dc=com?userPassword?one?uid=%s";
//char achUri[] = "ldap:///dc=renbud,dc=com?userPassword?one?uid=%s";
//char achUri[] = "ldap:///configuration=server1,cn=radservercfg,dc=renbud,dc=com?ipa,port?one?";
char achUri[] = "ldap:///dc=renbud,dc=com?userPassword?one?(uid=$1)";
char achUsername[] = "proxy";
LDAPURLDesc *lud;
ldap_url_parse( achUri, &lud);
if( ldap_url_parse( achUri, &lud) )
{
Debug( LDAP_DEBUG_ANY,
"ldap_url_parse FAILED\n");
}
else
{
Debug( LDAP_DEBUG_ANY,
"ldap_url_parse succeeded\n");
}
search_descriptor *sd = &search_descriptors[0];
char achPassword[256];
int rc = radiusov_get_password_from_uid( radius_info,
// Do something with be->be_rootndn
int rc = radiusov_generalized_database_fetch(radius_info->radius_db,
sd,
"abe1",
achPassword);
achUsername,
"userPassword",
achPassword,
MAXIMUM_PASSWORD_CHARACTERS );
if( rc )
{
Debug( LDAP_DEBUG_ANY,
"****************** radiusov_generalized_database_fetch() FAILED!\n");
}
else
{
Debug( LDAP_DEBUG_ANY,
"****************** radiusov_generalized_database_fetch() returned %s\n",
achPassword );
}
radiusov_create_udp_port( be,
cr,
......
contrib/slapd-modules/radiusov/radiusov.h
View file @ 6b9e7b4c
......@@ -127,7 +127,6 @@ typedef struct _search_descriptor
int search_scope;
char *search_filter_template;
char *search_base;
char *search_proxy;
char *shared_secret;
} search_descriptor;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment