summaryrefslogtreecommitdiffstats
path: root/src/auth/db-ldap.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/auth/db-ldap.c2035
1 files changed, 2035 insertions, 0 deletions
diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
new file mode 100644
index 0000000..8083108
--- /dev/null
+++ b/src/auth/db-ldap.c
@@ -0,0 +1,2035 @@
+/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */
+
+#include "auth-common.h"
+
+#if defined(BUILTIN_LDAP) || defined(PLUGIN_BUILD)
+
+#include "net.h"
+#include "ioloop.h"
+#include "array.h"
+#include "hash.h"
+#include "aqueue.h"
+#include "str.h"
+#include "time-util.h"
+#include "env-util.h"
+#include "var-expand.h"
+#include "settings.h"
+#include "userdb.h"
+#include "db-ldap.h"
+
+#include <stddef.h>
+#include <unistd.h>
+
+#define HAVE_LDAP_SASL
+#ifdef HAVE_SASL_SASL_H
+# include <sasl/sasl.h>
+#elif defined (HAVE_SASL_H)
+# include <sasl.h>
+#else
+# undef HAVE_LDAP_SASL
+#endif
+#ifdef LDAP_OPT_X_TLS
+# define OPENLDAP_TLS_OPTIONS
+#endif
+#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2
+# undef HAVE_LDAP_SASL
+#endif
+
+#ifndef LDAP_SASL_QUIET
+# define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */
+#endif
+
+/* Older versions may require calling ldap_result() twice */
+#if LDAP_VENDOR_VERSION <= 20112
+# define OPENLDAP_ASYNC_WORKAROUND
+#endif
+
+/* Solaris LDAP library doesn't have LDAP_OPT_SUCCESS */
+#ifndef LDAP_OPT_SUCCESS
+# define LDAP_OPT_SUCCESS LDAP_SUCCESS
+#endif
+
+#define DB_LDAP_REQUEST_MAX_ATTEMPT_COUNT 3
+
+static const char *LDAP_ESCAPE_CHARS = "*,\\#+<>;\"()= ";
+
+struct db_ldap_result {
+ int refcount;
+ LDAPMessage *msg;
+};
+
+struct db_ldap_value {
+ const char **values;
+ bool used;
+};
+
+struct db_ldap_result_iterate_context {
+ pool_t pool;
+
+ struct ldap_request *ldap_request;
+ const ARRAY_TYPE(ldap_field) *attr_map;
+ unsigned int attr_idx;
+
+ /* attribute name => value */
+ HASH_TABLE(char *, struct db_ldap_value *) ldap_attrs;
+
+ const char *val_1_arr[2];
+ string_t *var, *debug;
+
+ bool skip_null_values;
+ bool iter_dn_values;
+ LDAPMessage *ldap_msg;
+ LDAP *ld;
+};
+
+struct db_ldap_sasl_bind_context {
+ const char *authcid;
+ const char *passwd;
+ const char *realm;
+ const char *authzid;
+};
+
+#define DEF_STR(name) DEF_STRUCT_STR(name, ldap_settings)
+#define DEF_INT(name) DEF_STRUCT_INT(name, ldap_settings)
+#define DEF_BOOL(name) DEF_STRUCT_BOOL(name, ldap_settings)
+
+static struct setting_def setting_defs[] = {
+ DEF_STR(hosts),
+ DEF_STR(uris),
+ DEF_STR(dn),
+ DEF_STR(dnpass),
+ DEF_BOOL(auth_bind),
+ DEF_STR(auth_bind_userdn),
+ DEF_BOOL(tls),
+ DEF_BOOL(sasl_bind),
+ DEF_STR(sasl_mech),
+ DEF_STR(sasl_realm),
+ DEF_STR(sasl_authz_id),
+ DEF_STR(tls_ca_cert_file),
+ DEF_STR(tls_ca_cert_dir),
+ DEF_STR(tls_cert_file),
+ DEF_STR(tls_key_file),
+ DEF_STR(tls_cipher_suite),
+ DEF_STR(tls_require_cert),
+ DEF_STR(deref),
+ DEF_STR(scope),
+ DEF_STR(base),
+ DEF_INT(ldap_version),
+ DEF_STR(debug_level),
+ DEF_STR(ldaprc_path),
+ DEF_STR(user_attrs),
+ DEF_STR(user_filter),
+ DEF_STR(pass_attrs),
+ DEF_STR(pass_filter),
+ DEF_STR(iterate_attrs),
+ DEF_STR(iterate_filter),
+ DEF_STR(default_pass_scheme),
+ DEF_BOOL(userdb_warning_disable),
+ DEF_BOOL(blocking),
+
+ { 0, NULL, 0 }
+};
+
+static struct ldap_settings default_ldap_settings = {
+ .hosts = NULL,
+ .uris = NULL,
+ .dn = NULL,
+ .dnpass = NULL,
+ .auth_bind = FALSE,
+ .auth_bind_userdn = NULL,
+ .tls = FALSE,
+ .sasl_bind = FALSE,
+ .sasl_mech = NULL,
+ .sasl_realm = NULL,
+ .sasl_authz_id = NULL,
+ .tls_ca_cert_file = NULL,
+ .tls_ca_cert_dir = NULL,
+ .tls_cert_file = NULL,
+ .tls_key_file = NULL,
+ .tls_cipher_suite = NULL,
+ .tls_require_cert = NULL,
+ .deref = "never",
+ .scope = "subtree",
+ .base = NULL,
+ .ldap_version = 3,
+ .debug_level = "0",
+ .ldaprc_path = "",
+ .user_attrs = "homeDirectory=home,uidNumber=uid,gidNumber=gid",
+ .user_filter = "(&(objectClass=posixAccount)(uid=%u))",
+ .pass_attrs = "uid=user,userPassword=password",
+ .pass_filter = "(&(objectClass=posixAccount)(uid=%u))",
+ .iterate_attrs = "uid=user",
+ .iterate_filter = "(objectClass=posixAccount)",
+ .default_pass_scheme = "crypt",
+ .userdb_warning_disable = FALSE,
+ .blocking = FALSE
+};
+
+static struct ldap_connection *ldap_connections = NULL;
+
+static int db_ldap_bind(struct ldap_connection *conn);
+static void db_ldap_conn_close(struct ldap_connection *conn);
+struct db_ldap_result_iterate_context *
+db_ldap_result_iterate_init_full(struct ldap_connection *conn,
+ struct ldap_request_search *ldap_request,
+ LDAPMessage *res, bool skip_null_values,
+ bool iter_dn_values);
+static bool db_ldap_abort_requests(struct ldap_connection *conn,
+ unsigned int max_count,
+ unsigned int timeout_secs,
+ bool error, const char *reason);
+static void db_ldap_request_free(struct ldap_request *request);
+
+static int deref2str(const char *str, int *ref_r)
+{
+ if (strcasecmp(str, "never") == 0)
+ *ref_r = LDAP_DEREF_NEVER;
+ else if (strcasecmp(str, "searching") == 0)
+ *ref_r = LDAP_DEREF_SEARCHING;
+ else if (strcasecmp(str, "finding") == 0)
+ *ref_r = LDAP_DEREF_FINDING;
+ else if (strcasecmp(str, "always") == 0)
+ *ref_r = LDAP_DEREF_ALWAYS;
+ else
+ return -1;
+ return 0;
+}
+
+static int scope2str(const char *str, int *scope_r)
+{
+ if (strcasecmp(str, "base") == 0)
+ *scope_r = LDAP_SCOPE_BASE;
+ else if (strcasecmp(str, "onelevel") == 0)
+ *scope_r = LDAP_SCOPE_ONELEVEL;
+ else if (strcasecmp(str, "subtree") == 0)
+ *scope_r = LDAP_SCOPE_SUBTREE;
+ else
+ return -1;
+ return 0;
+}
+
+#ifdef OPENLDAP_TLS_OPTIONS
+static int tls_require_cert2str(const char *str, int *value_r)
+{
+ if (strcasecmp(str, "never") == 0)
+ *value_r = LDAP_OPT_X_TLS_NEVER;
+ else if (strcasecmp(str, "hard") == 0)
+ *value_r = LDAP_OPT_X_TLS_HARD;
+ else if (strcasecmp(str, "demand") == 0)
+ *value_r = LDAP_OPT_X_TLS_DEMAND;
+ else if (strcasecmp(str, "allow") == 0)
+ *value_r = LDAP_OPT_X_TLS_ALLOW;
+ else if (strcasecmp(str, "try") == 0)
+ *value_r = LDAP_OPT_X_TLS_TRY;
+ else
+ return -1;
+ return 0;
+}
+#endif
+
+static int ldap_get_errno(struct ldap_connection *conn)
+{
+ int ret, err;
+
+ ret = ldap_get_option(conn->ld, LDAP_OPT_ERROR_NUMBER, (void *) &err);
+ if (ret != LDAP_SUCCESS) {
+ e_error(conn->event, "Can't get error number: %s",
+ ldap_err2string(ret));
+ return LDAP_UNAVAILABLE;
+ }
+
+ return err;
+}
+
+const char *ldap_get_error(struct ldap_connection *conn)
+{
+ const char *ret;
+ char *str = NULL;
+
+ ret = ldap_err2string(ldap_get_errno(conn));
+
+ ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING, (void *)&str);
+ if (str != NULL) {
+ ret = t_strconcat(ret, ", ", str, NULL);
+ ldap_memfree(str);
+ }
+ ldap_set_option(conn->ld, LDAP_OPT_ERROR_STRING, NULL);
+ return ret;
+}
+
+static void ldap_conn_reconnect(struct ldap_connection *conn)
+{
+ db_ldap_conn_close(conn);
+ if (db_ldap_connect(conn) < 0)
+ db_ldap_conn_close(conn);
+}
+
+static int ldap_handle_error(struct ldap_connection *conn)
+{
+ int err = ldap_get_errno(conn);
+
+ switch (err) {
+ case LDAP_SUCCESS:
+ i_unreached();
+ case LDAP_SIZELIMIT_EXCEEDED:
+ case LDAP_TIMELIMIT_EXCEEDED:
+ case LDAP_NO_SUCH_ATTRIBUTE:
+ case LDAP_UNDEFINED_TYPE:
+ case LDAP_INAPPROPRIATE_MATCHING:
+ case LDAP_CONSTRAINT_VIOLATION:
+ case LDAP_TYPE_OR_VALUE_EXISTS:
+ case LDAP_INVALID_SYNTAX:
+ case LDAP_NO_SUCH_OBJECT:
+ case LDAP_ALIAS_PROBLEM:
+ case LDAP_INVALID_DN_SYNTAX:
+ case LDAP_IS_LEAF:
+ case LDAP_ALIAS_DEREF_PROBLEM:
+ case LDAP_FILTER_ERROR:
+ /* invalid input */
+ return -1;
+ case LDAP_SERVER_DOWN:
+ case LDAP_TIMEOUT:
+ case LDAP_UNAVAILABLE:
+ case LDAP_BUSY:
+#ifdef LDAP_CONNECT_ERROR
+ case LDAP_CONNECT_ERROR:
+#endif
+ case LDAP_LOCAL_ERROR:
+ case LDAP_INVALID_CREDENTIALS:
+ case LDAP_OPERATIONS_ERROR:
+ default:
+ /* connection problems */
+ ldap_conn_reconnect(conn);
+ return 0;
+ }
+}
+
+static int db_ldap_request_bind(struct ldap_connection *conn,
+ struct ldap_request *request)
+{
+ struct ldap_request_bind *brequest =
+ (struct ldap_request_bind *)request;
+
+ i_assert(request->type == LDAP_REQUEST_TYPE_BIND);
+ i_assert(request->msgid == -1);
+ i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_AUTH ||
+ conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
+ i_assert(conn->pending_count == 0);
+
+ request->msgid = ldap_bind(conn->ld, brequest->dn,
+ request->auth_request->mech_password,
+ LDAP_AUTH_SIMPLE);
+ if (request->msgid == -1) {
+ e_error(authdb_event(request->auth_request),
+ "ldap_bind(%s) failed: %s",
+ brequest->dn, ldap_get_error(conn));
+ if (ldap_handle_error(conn) < 0) {
+ /* broken request, remove it */
+ return 0;
+ }
+ return -1;
+ }
+ conn->conn_state = LDAP_CONN_STATE_BINDING;
+ return 1;
+}
+
+static int db_ldap_request_search(struct ldap_connection *conn,
+ struct ldap_request *request)
+{
+ struct ldap_request_search *srequest =
+ (struct ldap_request_search *)request;
+
+ i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
+ i_assert(request->msgid == -1);
+
+ request->msgid =
+ ldap_search(conn->ld, *srequest->base == '\0' ? NULL :
+ srequest->base, conn->set.ldap_scope,
+ srequest->filter, srequest->attributes, 0);
+ if (request->msgid == -1) {
+ e_error(authdb_event(request->auth_request),
+ "ldap_search(%s) parsing failed: %s",
+ srequest->filter, ldap_get_error(conn));
+ if (ldap_handle_error(conn) < 0) {
+ /* broken request, remove it */
+ return 0;
+ }
+ return -1;
+ }
+ return 1;
+}
+
+static bool db_ldap_request_queue_next(struct ldap_connection *conn)
+{
+ struct ldap_request *request;
+ int ret = -1;
+
+ /* connecting may call db_ldap_connect_finish(), which gets us back
+ here. so do the connection before checking the request queue. */
+ if (db_ldap_connect(conn) < 0)
+ return FALSE;
+
+ if (conn->pending_count == aqueue_count(conn->request_queue)) {
+ /* no non-pending requests */
+ return FALSE;
+ }
+ if (conn->pending_count > DB_LDAP_MAX_PENDING_REQUESTS) {
+ /* wait until server has replied to some requests */
+ return FALSE;
+ }
+
+ request = array_idx_elem(&conn->request_array,
+ aqueue_idx(conn->request_queue,
+ conn->pending_count));
+
+ if (conn->pending_count > 0 &&
+ request->type == LDAP_REQUEST_TYPE_BIND) {
+ /* we can't do binds until all existing requests are finished */
+ return FALSE;
+ }
+
+ switch (conn->conn_state) {
+ case LDAP_CONN_STATE_DISCONNECTED:
+ case LDAP_CONN_STATE_BINDING:
+ /* wait until we're in bound state */
+ return FALSE;
+ case LDAP_CONN_STATE_BOUND_AUTH:
+ if (request->type == LDAP_REQUEST_TYPE_BIND)
+ break;
+
+ /* bind to default dn first */
+ i_assert(conn->pending_count == 0);
+ (void)db_ldap_bind(conn);
+ return FALSE;
+ case LDAP_CONN_STATE_BOUND_DEFAULT:
+ /* we can do anything in this state */
+ break;
+ }
+
+ if (request->send_count >= DB_LDAP_REQUEST_MAX_ATTEMPT_COUNT) {
+ /* Enough many times retried. Server just keeps disconnecting
+ whenever attempting to send the request. */
+ ret = 0;
+ } else {
+ /* clear away any partial results saved before reconnecting */
+ db_ldap_request_free(request);
+
+ switch (request->type) {
+ case LDAP_REQUEST_TYPE_BIND:
+ ret = db_ldap_request_bind(conn, request);
+ break;
+ case LDAP_REQUEST_TYPE_SEARCH:
+ ret = db_ldap_request_search(conn, request);
+ break;
+ }
+ }
+
+ if (ret > 0) {
+ /* success */
+ i_assert(request->msgid != -1);
+ request->send_count++;
+ conn->pending_count++;
+ return TRUE;
+ } else if (ret < 0) {
+ /* disconnected */
+ return FALSE;
+ } else {
+ /* broken request, remove from queue */
+ aqueue_delete_tail(conn->request_queue);
+ request->callback(conn, request, NULL);
+ return TRUE;
+ }
+}
+
+static void
+db_ldap_check_hanging(struct ldap_connection *conn)
+{
+ struct ldap_request *first_request;
+ unsigned int count;
+ time_t secs_diff;
+
+ count = aqueue_count(conn->request_queue);
+ if (count == 0)
+ return;
+
+ first_request = array_idx_elem(&conn->request_array,
+ aqueue_idx(conn->request_queue, 0));
+ secs_diff = ioloop_time - first_request->create_time;
+ if (secs_diff > DB_LDAP_REQUEST_LOST_TIMEOUT_SECS) {
+ db_ldap_abort_requests(conn, UINT_MAX, 0, TRUE,
+ "LDAP connection appears to be hanging");
+ ldap_conn_reconnect(conn);
+ }
+}
+
+void db_ldap_request(struct ldap_connection *conn,
+ struct ldap_request *request)
+{
+ i_assert(request->auth_request != NULL);
+
+ request->msgid = -1;
+ request->create_time = ioloop_time;
+
+ db_ldap_check_hanging(conn);
+
+ aqueue_append(conn->request_queue, &request);
+ (void)db_ldap_request_queue_next(conn);
+}
+
+static int db_ldap_connect_finish(struct ldap_connection *conn, int ret)
+{
+ if (ret == LDAP_SERVER_DOWN) {
+ e_error(conn->event, "Can't connect to server: %s",
+ conn->set.uris != NULL ?
+ conn->set.uris : conn->set.hosts);
+ return -1;
+ }
+ if (ret != LDAP_SUCCESS) {
+ e_error(conn->event, "binding failed (dn %s): %s",
+ conn->set.dn == NULL ? "(none)" : conn->set.dn,
+ ldap_get_error(conn));
+ return -1;
+ }
+
+ timeout_remove(&conn->to);
+ conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
+ while (db_ldap_request_queue_next(conn))
+ ;
+ return 0;
+}
+
+static void db_ldap_default_bind_finished(struct ldap_connection *conn,
+ struct db_ldap_result *res)
+{
+ int ret;
+
+ i_assert(conn->pending_count == 0);
+ conn->default_bind_msgid = -1;
+
+ ret = ldap_result2error(conn->ld, res->msg, FALSE);
+ if (db_ldap_connect_finish(conn, ret) < 0) {
+ /* lost connection, close it */
+ db_ldap_conn_close(conn);
+ }
+}
+
+static bool db_ldap_abort_requests(struct ldap_connection *conn,
+ unsigned int max_count,
+ unsigned int timeout_secs,
+ bool error, const char *reason)
+{
+ struct ldap_request *request;
+ time_t diff;
+ bool aborts = FALSE;
+
+ while (aqueue_count(conn->request_queue) > 0 && max_count > 0) {
+ request = array_idx_elem(&conn->request_array,
+ aqueue_idx(conn->request_queue, 0));
+
+ diff = ioloop_time - request->create_time;
+ if (diff < (time_t)timeout_secs)
+ break;
+
+ /* timed out, abort */
+ aqueue_delete_tail(conn->request_queue);
+
+ if (request->msgid != -1) {
+ i_assert(conn->pending_count > 0);
+ conn->pending_count--;
+ }
+ if (error) {
+ e_error(authdb_event(request->auth_request),
+ "%s", reason);
+ } else {
+ e_info(authdb_event(request->auth_request),
+ "%s", reason);
+ }
+ request->callback(conn, request, NULL);
+ max_count--;
+ aborts = TRUE;
+ }
+ return aborts;
+}
+
+static struct ldap_request *
+db_ldap_find_request(struct ldap_connection *conn, int msgid,
+ unsigned int *idx_r)
+{
+ struct ldap_request *const *requests, *request = NULL;
+ unsigned int i, count;
+
+ count = aqueue_count(conn->request_queue);
+ if (count == 0)
+ return NULL;
+
+ requests = array_front(&conn->request_array);
+ for (i = 0; i < count; i++) {
+ request = requests[aqueue_idx(conn->request_queue, i)];
+ if (request->msgid == msgid) {
+ *idx_r = i;
+ return request;
+ }
+ if (request->msgid == -1)
+ break;
+ }
+ return NULL;
+}
+
+static int db_ldap_fields_get_dn(struct ldap_connection *conn,
+ struct ldap_request_search *request,
+ struct db_ldap_result *res)
+{
+ struct auth_request *auth_request = request->request.auth_request;
+ struct ldap_request_named_result *named_res;
+ struct db_ldap_result_iterate_context *ldap_iter;
+ const char *name, *const *values;
+
+ ldap_iter = db_ldap_result_iterate_init_full(conn, request, res->msg,
+ TRUE, TRUE);
+ while (db_ldap_result_iterate_next(ldap_iter, &name, &values)) {
+ if (values[1] != NULL) {
+ e_warning(authdb_event(auth_request),
+ "Multiple values found for '%s', "
+ "using value '%s'", name, values[0]);
+ }
+ array_foreach_modifiable(&request->named_results, named_res) {
+ if (strcmp(named_res->field->name, name) != 0)
+ continue;
+ /* In future we could also support LDAP URLs here */
+ named_res->dn = p_strdup(auth_request->pool,
+ values[0]);
+ }
+ }
+ db_ldap_result_iterate_deinit(&ldap_iter);
+ return 0;
+}
+
+struct ldap_field_find_subquery_context {
+ ARRAY_TYPE(string) attr_names;
+ const char *name;
+};
+
+static int
+db_ldap_field_subquery_find(const char *data, void *context,
+ const char **value_r,
+ const char **error_r ATTR_UNUSED)
+{
+ struct ldap_field_find_subquery_context *ctx = context;
+ char *ldap_attr;
+ const char *p;
+
+ if (*data != '\0') {
+ data = t_strcut(data, ':');
+ p = strchr(data, '@');
+ if (p != NULL && strcmp(p+1, ctx->name) == 0) {
+ ldap_attr = p_strdup_until(unsafe_data_stack_pool,
+ data, p);
+ array_push_back(&ctx->attr_names, &ldap_attr);
+ }
+ }
+ *value_r = NULL;
+ return 1;
+}
+
+static int
+ldap_request_send_subquery(struct ldap_connection *conn,
+ struct ldap_request_search *request,
+ struct ldap_request_named_result *named_res)
+{
+ const struct ldap_field *field;
+ const char *p, *error;
+ char *name;
+ struct auth_request *auth_request = request->request.auth_request;
+ struct ldap_field_find_subquery_context ctx;
+ const struct var_expand_table *table =
+ auth_request_get_var_expand_table(auth_request, NULL);
+ const struct var_expand_func_table *ptr;
+ struct var_expand_func_table *ftable;
+ string_t *tmp_str = t_str_new(64);
+ ARRAY(struct var_expand_func_table) var_funcs_table;
+ t_array_init(&var_funcs_table, 8);
+
+ for(ptr = auth_request_var_funcs_table; ptr->key != NULL; ptr++) {
+ array_push_back(&var_funcs_table, ptr);
+ }
+ ftable = array_append_space(&var_funcs_table);
+ ftable->key = "ldap";
+ ftable->func = db_ldap_field_subquery_find;
+ ftable = array_append_space(&var_funcs_table);
+ ftable->key = "ldap_ptr";
+ ftable->func = db_ldap_field_subquery_find;
+ array_append_zero(&var_funcs_table);
+
+ i_zero(&ctx);
+ t_array_init(&ctx.attr_names, 8);
+ ctx.name = named_res->field->name;
+
+ /* get the attributes names into array (ldapAttr@name -> ldapAttr) */
+ array_foreach(request->attr_map, field) {
+ if (field->ldap_attr_name[0] == '\0') {
+ str_truncate(tmp_str, 0);
+ if (var_expand_with_funcs(tmp_str, field->value, table,
+ array_front(&var_funcs_table), &ctx, &error) <= 0) {
+ e_error(authdb_event(auth_request),
+ "Failed to expand subquery %s: %s",
+ field->value, error);
+ return -1;
+ }
+ } else {
+ p = strchr(field->ldap_attr_name, '@');
+ if (p != NULL &&
+ strcmp(p+1, named_res->field->name) == 0) {
+ name = p_strdup_until(unsafe_data_stack_pool,
+ field->ldap_attr_name, p);
+ array_push_back(&ctx.attr_names, &name);
+ }
+ }
+ }
+ array_append_zero(&ctx.attr_names);
+
+ request->request.msgid =
+ ldap_search(conn->ld, named_res->dn, LDAP_SCOPE_BASE,
+ NULL, array_front_modifiable(&ctx.attr_names), 0);
+ if (request->request.msgid == -1) {
+ e_error(authdb_event(auth_request),
+ "ldap_search(dn=%s) failed: %s",
+ named_res->dn, ldap_get_error(conn));
+ return -1;
+ }
+ return 0;
+}
+
+static int db_ldap_search_save_result(struct ldap_request_search *request,
+ struct db_ldap_result *res)
+{
+ struct ldap_request_named_result *named_res;
+
+ if (!array_is_created(&request->named_results)) {
+ if (request->result != NULL)
+ return -1;
+ request->result = res;
+ } else {
+ named_res = array_idx_modifiable(&request->named_results,
+ request->name_idx);
+ if (named_res->result != NULL)
+ return -1;
+ named_res->result = res;
+ }
+ res->refcount++;
+ return 0;
+}
+
+static int db_ldap_search_next_subsearch(struct ldap_connection *conn,
+ struct ldap_request_search *request,
+ struct db_ldap_result *res)
+{
+ struct ldap_request_named_result *named_res;
+ const struct ldap_field *field;
+
+ if (request->result != NULL)
+ res = request->result;
+
+ if (!array_is_created(&request->named_results)) {
+ /* see if we need to do more LDAP queries */
+ p_array_init(&request->named_results,
+ request->request.auth_request->pool, 2);
+ array_foreach(request->attr_map, field) {
+ if (!field->value_is_dn)
+ continue;
+ named_res = array_append_space(&request->named_results);
+ named_res->field = field;
+ }
+ if (db_ldap_fields_get_dn(conn, request, res) < 0)
+ return -1;
+ } else {
+ request->name_idx++;
+ }
+ while (request->name_idx < array_count(&request->named_results)) {
+ /* send the next LDAP query */
+ named_res = array_idx_modifiable(&request->named_results,
+ request->name_idx);
+ if (named_res->dn != NULL) {
+ if (ldap_request_send_subquery(conn, request,
+ named_res) < 0)
+ return -1;
+ return 1;
+ }
+ /* dn field wasn't returned, skip this */
+ request->name_idx++;
+ }
+ return 0;
+}
+
+static bool
+db_ldap_handle_request_result(struct ldap_connection *conn,
+ struct ldap_request *request, unsigned int idx,
+ struct db_ldap_result *res)
+{
+ struct ldap_request_search *srequest = NULL;
+ const struct ldap_request_named_result *named_res;
+ int ret;
+ bool final_result;
+
+ i_assert(conn->pending_count > 0);
+
+ if (request->type == LDAP_REQUEST_TYPE_BIND) {
+ i_assert(conn->conn_state == LDAP_CONN_STATE_BINDING);
+ i_assert(conn->pending_count == 1);
+ conn->conn_state = LDAP_CONN_STATE_BOUND_AUTH;
+ } else {
+ srequest = (struct ldap_request_search *)request;
+ switch (ldap_msgtype(res->msg)) {
+ case LDAP_RES_SEARCH_ENTRY:
+ case LDAP_RES_SEARCH_RESULT:
+ break;
+ case LDAP_RES_SEARCH_REFERENCE:
+ /* we're going to ignore this */
+ return FALSE;
+ default:
+ e_error(conn->event, "Reply with unexpected type %d",
+ ldap_msgtype(res->msg));
+ return TRUE;
+ }
+ }
+ if (ldap_msgtype(res->msg) == LDAP_RES_SEARCH_ENTRY) {
+ ret = LDAP_SUCCESS;
+ final_result = FALSE;
+ } else {
+ final_result = TRUE;
+ ret = ldap_result2error(conn->ld, res->msg, 0);
+ }
+ /* LDAP_NO_SUCH_OBJECT is returned for nonexistent base */
+ if (ret != LDAP_SUCCESS && ret != LDAP_NO_SUCH_OBJECT &&
+ request->type == LDAP_REQUEST_TYPE_SEARCH) {
+ /* handle search failures here */
+ struct ldap_request_search *srequest =
+ (struct ldap_request_search *)request;
+
+ if (!array_is_created(&srequest->named_results)) {
+ e_error(authdb_event(request->auth_request),
+ "ldap_search(base=%s filter=%s) failed: %s",
+ srequest->base, srequest->filter,
+ ldap_err2string(ret));
+ } else {
+ named_res = array_idx(&srequest->named_results,
+ srequest->name_idx);
+ e_error(authdb_event(request->auth_request),
+ "ldap_search(base=%s) failed: %s",
+ named_res->dn, ldap_err2string(ret));
+ }
+ res = NULL;
+ }
+ if (ret == LDAP_SUCCESS && srequest != NULL && !srequest->multi_entry) {
+ /* expand any @results */
+ if (!final_result) {
+ if (db_ldap_search_save_result(srequest, res) < 0) {
+ e_error(authdb_event(request->auth_request),
+ "LDAP search returned multiple entries");
+ res = NULL;
+ } else {
+ /* wait for finish */
+ return FALSE;
+ }
+ } else {
+ ret = db_ldap_search_next_subsearch(conn, srequest, res);
+ if (ret > 0) {
+ /* more LDAP queries left */
+ return FALSE;
+ }
+ if (ret < 0)
+ res = NULL;
+ }
+ }
+ if (res == NULL && !final_result) {
+ /* wait for the final reply */
+ request->failed = TRUE;
+ return TRUE;
+ }
+ if (request->failed)
+ res = NULL;
+ if (final_result) {
+ conn->pending_count--;
+ aqueue_delete(conn->request_queue, idx);
+ }
+
+ T_BEGIN {
+ if (res != NULL && srequest != NULL && srequest->result != NULL)
+ request->callback(conn, request, srequest->result->msg);
+
+ request->callback(conn, request, res == NULL ? NULL : res->msg);
+ } T_END;
+
+ if (idx > 0) {
+ /* see if there are timed out requests */
+ if (db_ldap_abort_requests(conn, idx,
+ DB_LDAP_REQUEST_LOST_TIMEOUT_SECS,
+ TRUE, "Request lost"))
+ ldap_conn_reconnect(conn);
+ }
+ return TRUE;
+}
+
+static void db_ldap_result_unref(struct db_ldap_result **_res)
+{
+ struct db_ldap_result *res = *_res;
+
+ *_res = NULL;
+ i_assert(res->refcount > 0);
+ if (--res->refcount == 0) {
+ ldap_msgfree(res->msg);
+ i_free(res);
+ }
+}
+
+static void
+db_ldap_request_free(struct ldap_request *request)
+{
+ if (request->type == LDAP_REQUEST_TYPE_SEARCH) {
+ struct ldap_request_search *srequest =
+ (struct ldap_request_search *)request;
+ struct ldap_request_named_result *named_res;
+
+ if (srequest->result != NULL)
+ db_ldap_result_unref(&srequest->result);
+
+ if (array_is_created(&srequest->named_results)) {
+ array_foreach_modifiable(&srequest->named_results, named_res) {
+ if (named_res->result != NULL)
+ db_ldap_result_unref(&named_res->result);
+ }
+ array_free(&srequest->named_results);
+ srequest->name_idx = 0;
+ }
+ }
+}
+
+static void
+db_ldap_handle_result(struct ldap_connection *conn, struct db_ldap_result *res)
+{
+ struct auth_request *auth_request;
+ struct ldap_request *request;
+ unsigned int idx;
+ int msgid;
+
+ msgid = ldap_msgid(res->msg);
+ if (msgid == conn->default_bind_msgid) {
+ db_ldap_default_bind_finished(conn, res);
+ return;
+ }
+
+ request = db_ldap_find_request(conn, msgid, &idx);
+ if (request == NULL) {
+ e_error(conn->event, "Reply with unknown msgid %d", msgid);
+ ldap_conn_reconnect(conn);
+ return;
+ }
+ /* request is allocated from auth_request's pool */
+ auth_request = request->auth_request;
+ auth_request_ref(auth_request);
+ if (db_ldap_handle_request_result(conn, request, idx, res))
+ db_ldap_request_free(request);
+ auth_request_unref(&auth_request);
+}
+
+static void ldap_input(struct ldap_connection *conn)
+{
+ struct timeval timeout;
+ struct db_ldap_result *res;
+ LDAPMessage *msg;
+ time_t prev_reply_diff;
+ int ret;
+
+ do {
+ if (conn->ld == NULL)
+ return;
+
+ i_zero(&timeout);
+ ret = ldap_result(conn->ld, LDAP_RES_ANY, 0, &timeout, &msg);
+#ifdef OPENLDAP_ASYNC_WORKAROUND
+ if (ret == 0) {
+ /* try again, there may be another in buffer */
+ ret = ldap_result(conn->ld, LDAP_RES_ANY, 0,
+ &timeout, &msg);
+ }
+#endif
+ if (ret <= 0)
+ break;
+
+ res = i_new(struct db_ldap_result, 1);
+ res->refcount = 1;
+ res->msg = msg;
+ db_ldap_handle_result(conn, res);
+ db_ldap_result_unref(&res);
+ } while (conn->io != NULL);
+
+ prev_reply_diff = ioloop_time - conn->last_reply_stamp;
+ conn->last_reply_stamp = ioloop_time;
+
+ if (ret > 0) {
+ /* input disabled, continue once it's enabled */
+ i_assert(conn->io == NULL);
+ } else if (ret == 0) {
+ /* send more requests */
+ while (db_ldap_request_queue_next(conn))
+ ;
+ } else if (ldap_get_errno(conn) != LDAP_SERVER_DOWN) {
+ e_error(conn->event, "ldap_result() failed: %s", ldap_get_error(conn));
+ ldap_conn_reconnect(conn);
+ } else if (aqueue_count(conn->request_queue) > 0 ||
+ prev_reply_diff < DB_LDAP_IDLE_RECONNECT_SECS) {
+ e_error(conn->event, "Connection lost to LDAP server, reconnecting");
+ ldap_conn_reconnect(conn);
+ } else {
+ /* server probably disconnected an idle connection. don't
+ reconnect until the next request comes. */
+ db_ldap_conn_close(conn);
+ }
+}
+
+#ifdef HAVE_LDAP_SASL
+static int
+sasl_interact(LDAP *ld ATTR_UNUSED, unsigned flags ATTR_UNUSED,
+ void *defaults, void *interact)
+{
+ struct db_ldap_sasl_bind_context *context = defaults;
+ sasl_interact_t *in;
+ const char *str;
+
+ for (in = interact; in->id != SASL_CB_LIST_END; in++) {
+ switch (in->id) {
+ case SASL_CB_GETREALM:
+ str = context->realm;
+ break;
+ case SASL_CB_AUTHNAME:
+ str = context->authcid;
+ break;
+ case SASL_CB_USER:
+ str = context->authzid;
+ break;
+ case SASL_CB_PASS:
+ str = context->passwd;
+ break;
+ default:
+ str = NULL;
+ break;
+ }
+ if (str != NULL) {
+ in->len = strlen(str);
+ in->result = str;
+ }
+
+ }
+ return LDAP_SUCCESS;
+}
+#endif
+
+static void ldap_connection_timeout(struct ldap_connection *conn)
+{
+ i_assert(conn->conn_state == LDAP_CONN_STATE_BINDING);
+
+ e_error(conn->event, "Initial binding to LDAP server timed out");
+ db_ldap_conn_close(conn);
+}
+
+#ifdef HAVE_LDAP_SASL
+static int db_ldap_bind_sasl(struct ldap_connection *conn)
+{
+ struct db_ldap_sasl_bind_context context;
+ int ret;
+
+ i_zero(&context);
+ context.authcid = conn->set.dn;
+ context.passwd = conn->set.dnpass;
+ context.realm = conn->set.sasl_realm;
+ context.authzid = conn->set.sasl_authz_id;
+
+ /* There doesn't seem to be a way to do SASL binding
+ asynchronously.. */
+ ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
+ conn->set.sasl_mech,
+ NULL, NULL, LDAP_SASL_QUIET,
+ sasl_interact, &context);
+ if (db_ldap_connect_finish(conn, ret) < 0)
+ return -1;
+
+ conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
+
+ return 0;
+}
+#else
+static int db_ldap_bind_sasl(struct ldap_connection *conn ATTR_UNUSED)
+{
+ i_unreached(); /* already checked at init */
+
+ return -1;
+}
+#endif
+
+static int db_ldap_bind_simple(struct ldap_connection *conn)
+{
+ int msgid;
+
+ i_assert(conn->conn_state != LDAP_CONN_STATE_BINDING);
+ i_assert(conn->default_bind_msgid == -1);
+ i_assert(conn->pending_count == 0);
+
+ msgid = ldap_bind(conn->ld, conn->set.dn, conn->set.dnpass,
+ LDAP_AUTH_SIMPLE);
+ if (msgid == -1) {
+ i_assert(ldap_get_errno(conn) != LDAP_SUCCESS);
+ if (db_ldap_connect_finish(conn, ldap_get_errno(conn)) < 0) {
+ /* lost connection, close it */
+ db_ldap_conn_close(conn);
+ }
+ return -1;
+ }
+
+ conn->conn_state = LDAP_CONN_STATE_BINDING;
+ conn->default_bind_msgid = msgid;
+
+ timeout_remove(&conn->to);
+ conn->to = timeout_add(DB_LDAP_REQUEST_LOST_TIMEOUT_SECS*1000,
+ ldap_connection_timeout, conn);
+ return 0;
+}
+
+static int db_ldap_bind(struct ldap_connection *conn)
+{
+ if (conn->set.sasl_bind) {
+ if (db_ldap_bind_sasl(conn) < 0)
+ return -1;
+ } else {
+ if (db_ldap_bind_simple(conn) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+static void db_ldap_get_fd(struct ldap_connection *conn)
+{
+ int ret;
+
+ /* get the connection's fd */
+ ret = ldap_get_option(conn->ld, LDAP_OPT_DESC, (void *)&conn->fd);
+ if (ret != LDAP_SUCCESS) {
+ i_fatal("LDAP %s: Can't get connection fd: %s",
+ conn->config_path, ldap_err2string(ret));
+ }
+ if (conn->fd <= STDERR_FILENO) {
+ /* Solaris LDAP library seems to be broken */
+ i_fatal("LDAP %s: Buggy LDAP library returned wrong fd: %d",
+ conn->config_path, conn->fd);
+ }
+ i_assert(conn->fd != -1);
+ net_set_nonblock(conn->fd, TRUE);
+}
+
+static void ATTR_NULL(1)
+db_ldap_set_opt(struct ldap_connection *conn, LDAP *ld, int opt,
+ const void *value, const char *optname, const char *value_str)
+{
+ int ret;
+
+ ret = ldap_set_option(ld, opt, value);
+ if (ret != LDAP_SUCCESS) {
+ i_fatal("LDAP %s: Can't set option %s to %s: %s",
+ conn->config_path, optname, value_str, ldap_err2string(ret));
+ }
+}
+
+static void ATTR_NULL(1)
+db_ldap_set_opt_str(struct ldap_connection *conn, LDAP *ld, int opt,
+ const char *value, const char *optname)
+{
+ if (value != NULL)
+ db_ldap_set_opt(conn, ld, opt, value, optname, value);
+}
+
+static void db_ldap_set_tls_options(struct ldap_connection *conn)
+{
+#ifdef OPENLDAP_TLS_OPTIONS
+ db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CACERTFILE,
+ conn->set.tls_ca_cert_file, "tls_ca_cert_file");
+ db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CACERTDIR,
+ conn->set.tls_ca_cert_dir, "tls_ca_cert_dir");
+ db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CERTFILE,
+ conn->set.tls_cert_file, "tls_cert_file");
+ db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_KEYFILE,
+ conn->set.tls_key_file, "tls_key_file");
+ db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
+ conn->set.tls_cipher_suite, "tls_cipher_suite");
+ if (conn->set.tls_require_cert != NULL) {
+ db_ldap_set_opt(conn, NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &conn->set.ldap_tls_require_cert_parsed,
+ "tls_require_cert", conn->set.tls_require_cert);
+ }
+#else
+ if (conn->set.tls_ca_cert_file != NULL ||
+ conn->set.tls_ca_cert_dir != NULL ||
+ conn->set.tls_cert_file != NULL ||
+ conn->set.tls_key_file != NULL ||
+ conn->set.tls_cipher_suite != NULL) {
+ i_fatal("LDAP %s: tls_* settings aren't supported by your LDAP library - they must not be set",
+ conn->config_path);
+ }
+#endif
+}
+
+static void db_ldap_set_options(struct ldap_connection *conn)
+{
+ unsigned int ldap_version;
+ int value;
+
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ struct timeval tv;
+ int ret;
+
+ tv.tv_sec = DB_LDAP_CONNECT_TIMEOUT_SECS; tv.tv_usec = 0;
+ ret = ldap_set_option(conn->ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+ if (ret != LDAP_SUCCESS) {
+ i_fatal("LDAP %s: Can't set network-timeout: %s",
+ conn->config_path, ldap_err2string(ret));
+ }
+#endif
+
+ db_ldap_set_opt(conn, conn->ld, LDAP_OPT_DEREF, &conn->set.ldap_deref,
+ "deref", conn->set.deref);
+#ifdef LDAP_OPT_DEBUG_LEVEL
+ if (str_to_int(conn->set.debug_level, &value) >= 0 && value != 0) {
+ db_ldap_set_opt(conn, NULL, LDAP_OPT_DEBUG_LEVEL, &value,
+ "debug_level", conn->set.debug_level);
+ event_set_forced_debug(conn->event, TRUE);
+ }
+#endif
+
+ ldap_version = conn->set.ldap_version;
+ db_ldap_set_opt(conn, conn->ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version,
+ "protocol_version", dec2str(ldap_version));
+ db_ldap_set_tls_options(conn);
+}
+
+static void db_ldap_init_ld(struct ldap_connection *conn)
+{
+ int ret;
+
+ if (conn->set.uris != NULL) {
+#ifdef LDAP_HAVE_INITIALIZE
+ ret = ldap_initialize(&conn->ld, conn->set.uris);
+ if (ret != LDAP_SUCCESS) {
+ i_fatal("LDAP %s: ldap_initialize() failed with uris %s: %s",
+ conn->config_path, conn->set.uris,
+ ldap_err2string(ret));
+ }
+#else
+ i_unreached(); /* already checked at init */
+#endif
+ } else {
+ conn->ld = ldap_init(conn->set.hosts, LDAP_PORT);
+ if (conn->ld == NULL) {
+ i_fatal("LDAP %s: ldap_init() failed with hosts: %s",
+ conn->config_path, conn->set.hosts);
+ }
+ }
+ db_ldap_set_options(conn);
+}
+
+int db_ldap_connect(struct ldap_connection *conn)
+{
+ struct timeval start, end;
+ int ret;
+
+ if (conn->conn_state != LDAP_CONN_STATE_DISCONNECTED)
+ return 0;
+
+ i_gettimeofday(&start);
+ i_assert(conn->pending_count == 0);
+
+ if (conn->delayed_connect) {
+ conn->delayed_connect = FALSE;
+ timeout_remove(&conn->to);
+ }
+ if (conn->ld == NULL)
+ db_ldap_init_ld(conn);
+
+ if (conn->set.tls) {
+#ifdef LDAP_HAVE_START_TLS_S
+ ret = ldap_start_tls_s(conn->ld, NULL, NULL);
+ if (ret != LDAP_SUCCESS) {
+ if (ret == LDAP_OPERATIONS_ERROR &&
+ conn->set.uris != NULL &&
+ str_begins(conn->set.uris, "ldaps:")) {
+ i_fatal("LDAP %s: Don't use both tls=yes "
+ "and ldaps URI", conn->config_path);
+ }
+ e_error(conn->event, "ldap_start_tls_s() failed: %s",
+ ldap_err2string(ret));
+ return -1;
+ }
+#else
+ i_unreached(); /* already checked at init */
+#endif
+ }
+
+ if (db_ldap_bind(conn) < 0)
+ return -1;
+
+ i_gettimeofday(&end);
+ int msecs = timeval_diff_msecs(&end, &start);
+ e_debug(conn->event, "LDAP initialization took %d msecs", msecs);
+
+ db_ldap_get_fd(conn);
+ conn->io = io_add(conn->fd, IO_READ, ldap_input, conn);
+ return 0;
+}
+
+static void db_ldap_connect_callback(struct ldap_connection *conn)
+{
+ i_assert(conn->conn_state == LDAP_CONN_STATE_DISCONNECTED);
+ (void)db_ldap_connect(conn);
+}
+
+void db_ldap_connect_delayed(struct ldap_connection *conn)
+{
+ if (conn->delayed_connect)
+ return;
+ conn->delayed_connect = TRUE;
+
+ i_assert(conn->to == NULL);
+ conn->to = timeout_add_short(0, db_ldap_connect_callback, conn);
+}
+
+void db_ldap_enable_input(struct ldap_connection *conn, bool enable)
+{
+ if (!enable) {
+ io_remove(&conn->io);
+ } else {
+ if (conn->io == NULL && conn->fd != -1) {
+ conn->io = io_add(conn->fd, IO_READ, ldap_input, conn);
+ ldap_input(conn);
+ }
+ }
+}
+
+static void db_ldap_disconnect_timeout(struct ldap_connection *conn)
+{
+ db_ldap_abort_requests(conn, UINT_MAX,
+ DB_LDAP_REQUEST_DISCONNECT_TIMEOUT_SECS, FALSE,
+ "Aborting (timeout), we're not connected to LDAP server");
+
+ if (aqueue_count(conn->request_queue) == 0) {
+ /* no requests left, remove this timeout handler */
+ timeout_remove(&conn->to);
+ }
+}
+
+static void db_ldap_conn_close(struct ldap_connection *conn)
+{
+ struct ldap_request *const *requests, *request;
+ unsigned int i;
+
+ conn->conn_state = LDAP_CONN_STATE_DISCONNECTED;
+ conn->delayed_connect = FALSE;
+ conn->default_bind_msgid = -1;
+
+ timeout_remove(&conn->to);
+
+ if (conn->pending_count != 0) {
+ requests = array_front(&conn->request_array);
+ for (i = 0; i < conn->pending_count; i++) {
+ request = requests[aqueue_idx(conn->request_queue, i)];
+
+ i_assert(request->msgid != -1);
+ request->msgid = -1;
+ }
+ conn->pending_count = 0;
+ }
+
+ if (conn->ld != NULL) {
+ ldap_unbind(conn->ld);
+ conn->ld = NULL;
+ }
+ conn->fd = -1;
+
+ /* the fd may have already been closed before ldap_unbind(),
+ so we'll have to use io_remove_closed(). */
+ io_remove_closed(&conn->io);
+
+ if (aqueue_count(conn->request_queue) > 0) {
+ conn->to = timeout_add(DB_LDAP_REQUEST_DISCONNECT_TIMEOUT_SECS *
+ 1000/2, db_ldap_disconnect_timeout, conn);
+ }
+}
+
+struct ldap_field_find_context {
+ ARRAY_TYPE(string) attr_names;
+ pool_t pool;
+};
+
+static int
+db_ldap_field_find(const char *data, void *context,
+ const char **value_r,
+ const char **error_r ATTR_UNUSED)
+{
+ struct ldap_field_find_context *ctx = context;
+ char *ldap_attr;
+
+ if (*data != '\0') {
+ ldap_attr = p_strdup(ctx->pool, t_strcut(data, ':'));
+ if (strchr(ldap_attr, '@') == NULL)
+ array_push_back(&ctx->attr_names, &ldap_attr);
+ }
+ *value_r = NULL;
+ return 1;
+}
+
+void db_ldap_set_attrs(struct ldap_connection *conn, const char *attrlist,
+ char ***attr_names_r, ARRAY_TYPE(ldap_field) *attr_map,
+ const char *skip_attr)
+{
+ static struct var_expand_func_table var_funcs_table[] = {
+ { "ldap", db_ldap_field_find },
+ { "ldap_ptr", db_ldap_field_find },
+ { NULL, NULL }
+ };
+ struct ldap_field_find_context ctx;
+ struct ldap_field *field;
+ string_t *tmp_str;
+ const char *const *attr, *attr_data, *p, *error;
+ char *ldap_attr, *name, *templ;
+ unsigned int i;
+
+ if (*attrlist == '\0')
+ return;
+
+ attr = t_strsplit_spaces(attrlist, ",");
+
+ tmp_str = t_str_new(128);
+ ctx.pool = conn->pool;
+ p_array_init(&ctx.attr_names, conn->pool, 16);
+ for (i = 0; attr[i] != NULL; i++) {
+ /* allow spaces here so "foo=1, bar=2" works */
+ attr_data = attr[i];
+ while (*attr_data == ' ') attr_data++;
+
+ p = strchr(attr_data, '=');
+ if (p == NULL)
+ ldap_attr = name = p_strdup(conn->pool, attr_data);
+ else if (attr_data[0] == '@') {
+ ldap_attr = "";
+ name = p_strdup(conn->pool, attr_data);
+ } else {
+ ldap_attr = p_strdup_until(conn->pool, attr_data, p);
+ name = p_strdup(conn->pool, p + 1);
+ }
+
+ templ = strchr(name, '=');
+ if (templ == NULL) {
+ if (*ldap_attr == '\0') {
+ /* =foo static value */
+ templ = "";
+ }
+ } else {
+ *templ++ = '\0';
+ str_truncate(tmp_str, 0);
+ if (var_expand_with_funcs(tmp_str, templ, NULL,
+ var_funcs_table, &ctx, &error) <= 0) {
+ /* This var_expand_with_funcs call fills the
+ * ldap_field_find_context in ctx, but the
+ * resulting string_t is not used, and the
+ * return value or error_r is not checked since
+ * it gives errors for non-ldap variable
+ * expansions. */
+ }
+ if (strchr(templ, '%') == NULL) {
+ /* backwards compatibility:
+ attr=name=prefix means same as
+ attr=name=prefix%$ when %vars are missing */
+ templ = p_strconcat(conn->pool, templ,
+ "%$", NULL);
+ }
+ }
+
+ if (*name == '\0')
+ e_error(conn->event, "Invalid attrs entry: %s", attr_data);
+ else if (skip_attr == NULL || strcmp(skip_attr, name) != 0) {
+ field = array_append_space(attr_map);
+ if (name[0] == '@') {
+ /* @name=ldapField */
+ name++;
+ field->value_is_dn = TRUE;
+ } else if (name[0] == '!' && name == ldap_attr) {
+ /* !ldapAttr */
+ name = "";
+ i_assert(ldap_attr[0] == '!');
+ ldap_attr++;
+ field->skip = TRUE;
+ }
+ field->name = name;
+ field->value = templ;
+ field->ldap_attr_name = ldap_attr;
+ if (*ldap_attr != '\0' &&
+ strchr(ldap_attr, '@') == NULL) {
+ /* root request's attribute */
+ array_push_back(&ctx.attr_names, &ldap_attr);
+ }
+ }
+ }
+ array_append_zero(&ctx.attr_names);
+ *attr_names_r = array_front_modifiable(&ctx.attr_names);
+}
+
+static const struct var_expand_table *
+db_ldap_value_get_var_expand_table(struct auth_request *auth_request,
+ const char *ldap_value)
+{
+ struct var_expand_table *table;
+ unsigned int count = 1;
+
+ table = auth_request_get_var_expand_table_full(auth_request,
+ auth_request->fields.user, NULL, &count);
+ table[0].key = '$';
+ table[0].value = ldap_value;
+ return table;
+}
+
+#define IS_LDAP_ESCAPED_CHAR(c) \
+ ((((unsigned char)(c)) & 0x80) != 0 || strchr(LDAP_ESCAPE_CHARS, (c)) != NULL)
+
+const char *ldap_escape(const char *str,
+ const struct auth_request *auth_request ATTR_UNUSED)
+{
+ string_t *ret = NULL;
+
+ for (const char *p = str; *p != '\0'; p++) {
+ if (IS_LDAP_ESCAPED_CHAR(*p)) {
+ if (ret == NULL) {
+ ret = t_str_new((size_t) (p - str) + 64);
+ str_append_data(ret, str, (size_t) (p - str));
+ }
+ str_printfa(ret, "\\%02X", (unsigned char)*p);
+ } else if (ret != NULL)
+ str_append_c(ret, *p);
+ }
+
+ return ret == NULL ? str : str_c(ret);
+}
+
+static bool
+ldap_field_hide_password(struct db_ldap_result_iterate_context *ctx,
+ const char *attr)
+{
+ const struct ldap_field *field;
+
+ if (ctx->ldap_request->auth_request->set->debug_passwords)
+ return FALSE;
+
+ array_foreach(ctx->attr_map, field) {
+ if (strcmp(field->ldap_attr_name, attr) == 0) {
+ if (strcmp(field->name, "password") == 0 ||
+ strcmp(field->name, "password_noscheme") == 0)
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+static void
+get_ldap_fields(struct db_ldap_result_iterate_context *ctx,
+ struct ldap_connection *conn, LDAPMessage *entry,
+ const char *suffix)
+{
+ struct db_ldap_value *ldap_value;
+ char *attr, **vals;
+ unsigned int i, count;
+ BerElement *ber;
+
+ attr = ldap_first_attribute(conn->ld, entry, &ber);
+ while (attr != NULL) {
+ vals = ldap_get_values(conn->ld, entry, attr);
+
+ ldap_value = p_new(ctx->pool, struct db_ldap_value, 1);
+ if (vals == NULL) {
+ ldap_value->values = p_new(ctx->pool, const char *, 1);
+ count = 0;
+ } else {
+ for (count = 0; vals[count] != NULL; count++) ;
+ }
+
+ ldap_value->values = p_new(ctx->pool, const char *, count + 1);
+ for (i = 0; i < count; i++)
+ ldap_value->values[i] = p_strdup(ctx->pool, vals[i]);
+
+ if (ctx->debug != NULL) {
+ str_printfa(ctx->debug, " %s%s=", attr, suffix);
+ if (count == 0)
+ str_append(ctx->debug, "<no values>");
+ else if (ldap_field_hide_password(ctx, attr))
+ str_append(ctx->debug, PASSWORD_HIDDEN_STR);
+ else {
+ str_append(ctx->debug, ldap_value->values[0]);
+ for (i = 1; i < count; i++) {
+ str_printfa(ctx->debug, ",%s",
+ ldap_value->values[0]);
+ }
+ }
+ }
+ hash_table_insert(ctx->ldap_attrs,
+ p_strconcat(ctx->pool, attr, suffix, NULL),
+ ldap_value);
+
+ ldap_value_free(vals);
+ ldap_memfree(attr);
+ attr = ldap_next_attribute(conn->ld, entry, ber);
+ }
+ ber_free(ber, 0);
+}
+
+struct db_ldap_result_iterate_context *
+db_ldap_result_iterate_init_full(struct ldap_connection *conn,
+ struct ldap_request_search *ldap_request,
+ LDAPMessage *res, bool skip_null_values,
+ bool iter_dn_values)
+{
+ struct db_ldap_result_iterate_context *ctx;
+ const struct ldap_request_named_result *named_res;
+ const char *suffix;
+ pool_t pool;
+
+ pool = pool_alloconly_create(MEMPOOL_GROWING"ldap result iter", 1024);
+ ctx = p_new(pool, struct db_ldap_result_iterate_context, 1);
+ ctx->pool = pool;
+ ctx->ldap_request = &ldap_request->request;
+ ctx->attr_map = ldap_request->attr_map;
+ ctx->skip_null_values = skip_null_values;
+ ctx->iter_dn_values = iter_dn_values;
+ hash_table_create(&ctx->ldap_attrs, pool, 0, strcase_hash, strcasecmp);
+ ctx->var = str_new(ctx->pool, 256);
+ if (event_want_debug(ctx->ldap_request->auth_request->event))
+ ctx->debug = t_str_new(256);
+ ctx->ldap_msg = res;
+ ctx->ld = conn->ld;
+
+ get_ldap_fields(ctx, conn, res, "");
+ if (array_is_created(&ldap_request->named_results)) {
+ array_foreach(&ldap_request->named_results, named_res) {
+ suffix = t_strdup_printf("@%s", named_res->field->name);
+ if (named_res->result != NULL) {
+ get_ldap_fields(ctx, conn,
+ named_res->result->msg, suffix);
+ }
+ }
+ }
+ return ctx;
+}
+
+struct db_ldap_result_iterate_context *
+db_ldap_result_iterate_init(struct ldap_connection *conn,
+ struct ldap_request_search *ldap_request,
+ LDAPMessage *res, bool skip_null_values)
+{
+ return db_ldap_result_iterate_init_full(conn, ldap_request, res,
+ skip_null_values, FALSE);
+}
+
+static const char *db_ldap_field_get_default(const char *data)
+{
+ const char *p;
+
+ p = i_strchr_to_next(data, ':');
+ if (p == NULL)
+ return "";
+ else {
+ /* default value given */
+ return p;
+ }
+}
+
+static int
+db_ldap_field_expand(const char *data, void *context,
+ const char **value_r, const char **error_r ATTR_UNUSED)
+{
+ struct db_ldap_result_iterate_context *ctx = context;
+ struct db_ldap_value *ldap_value;
+ const char *field_name = t_strcut(data, ':');
+
+ ldap_value = hash_table_lookup(ctx->ldap_attrs, field_name);
+ if (ldap_value == NULL) {
+ /* requested ldap attribute wasn't returned at all */
+ if (ctx->debug != NULL)
+ str_printfa(ctx->debug, "; %s missing", field_name);
+ *value_r = db_ldap_field_get_default(data);
+ return 1;
+ }
+ ldap_value->used = TRUE;
+
+ if (ldap_value->values[0] == NULL) {
+ /* no value for ldap attribute */
+ *value_r = db_ldap_field_get_default(data);
+ return 1;
+ }
+ if (ldap_value->values[1] != NULL) {
+ e_warning(authdb_event(ctx->ldap_request->auth_request),
+ "Multiple values found for '%s', using value '%s'",
+ field_name, ldap_value->values[0]);
+ }
+ *value_r = ldap_value->values[0];
+ return 1;
+}
+
+static int
+db_ldap_field_ptr_expand(const char *data, void *context,
+ const char **value_r, const char **error_r)
+{
+ struct db_ldap_result_iterate_context *ctx = context;
+ const char *field_name, *suffix;
+
+ suffix = strchr(t_strcut(data, ':'), '@');
+ if (db_ldap_field_expand(data, ctx, &field_name, error_r) <= 0)
+ i_unreached();
+ if (field_name[0] == '\0') {
+ *value_r = "";
+ return 1;
+ }
+ field_name = t_strconcat(field_name, suffix, NULL);
+ return db_ldap_field_expand(field_name, ctx, value_r, error_r);
+}
+
+static int
+db_ldap_field_dn_expand(const char *data ATTR_UNUSED, void *context ATTR_UNUSED,
+ const char **value_r, const char **error_r ATTR_UNUSED)
+{
+ struct db_ldap_result_iterate_context *ctx = context;
+ char *dn = ldap_get_dn(ctx->ld, ctx->ldap_msg);
+ *value_r = t_strdup(dn);
+ ldap_memfree(dn);
+ return 1;
+}
+
+static struct var_expand_func_table ldap_var_funcs_table[] = {
+ { "ldap", db_ldap_field_expand },
+ { "ldap_ptr", db_ldap_field_ptr_expand },
+ { "ldap_dn", db_ldap_field_dn_expand },
+ { NULL, NULL }
+};
+
+static const char *const *
+db_ldap_result_return_value(struct db_ldap_result_iterate_context *ctx,
+ const struct ldap_field *field,
+ struct db_ldap_value *ldap_value)
+{
+ const struct var_expand_table *var_table;
+ const char *const *values, *error;
+
+ if (ldap_value != NULL)
+ values = ldap_value->values;
+ else {
+ /* LDAP attribute doesn't exist */
+ ctx->val_1_arr[0] = NULL;
+ values = ctx->val_1_arr;
+ }
+
+ if (field->value == NULL) {
+ /* use the LDAP attribute's value */
+ } else {
+ /* template */
+ if (values[0] == NULL && *field->ldap_attr_name != '\0') {
+ /* ldapAttr=key=template%$, but ldapAttr doesn't
+ exist. */
+ return values;
+ }
+ if (values[0] != NULL && values[1] != NULL) {
+ e_warning(authdb_event(ctx->ldap_request->auth_request),
+ "Multiple values found for '%s', "
+ "using value '%s'",
+ field->name, values[0]);
+ }
+
+ /* do this lookup separately for each expansion, because:
+ 1) the values are allocated from data stack
+ 2) if "user" field is updated, we want %u/%n/%d updated
+ (and less importantly the same for other variables) */
+ var_table = db_ldap_value_get_var_expand_table(
+ ctx->ldap_request->auth_request, values[0]);
+ if (var_expand_with_funcs(ctx->var, field->value, var_table,
+ ldap_var_funcs_table, ctx, &error) <= 0) {
+ e_warning(authdb_event(ctx->ldap_request->auth_request),
+ "Failed to expand template %s: %s",
+ field->value, error);
+ }
+ ctx->val_1_arr[0] = str_c(ctx->var);
+ values = ctx->val_1_arr;
+ }
+ return values;
+}
+
+bool db_ldap_result_iterate_next(struct db_ldap_result_iterate_context *ctx,
+ const char **name_r,
+ const char *const **values_r)
+{
+ const struct var_expand_table *tab;
+ const struct ldap_field *field;
+ struct db_ldap_value *ldap_value;
+ unsigned int pos;
+ const char *error;
+
+ do {
+ if (ctx->attr_idx == array_count(ctx->attr_map))
+ return FALSE;
+ field = array_idx(ctx->attr_map, ctx->attr_idx++);
+ } while (field->value_is_dn != ctx->iter_dn_values ||
+ field->skip);
+
+ ldap_value = *field->ldap_attr_name == '\0' ? NULL :
+ hash_table_lookup(ctx->ldap_attrs, field->ldap_attr_name);
+ if (ldap_value != NULL)
+ ldap_value->used = TRUE;
+ else if (ctx->debug != NULL && *field->ldap_attr_name != '\0')
+ str_printfa(ctx->debug, "; %s missing", field->ldap_attr_name);
+
+ str_truncate(ctx->var, 0);
+ *values_r = db_ldap_result_return_value(ctx, field, ldap_value);
+
+ if (strchr(field->name, '%') == NULL)
+ *name_r = field->name;
+ else {
+ /* expand %variables also for LDAP name fields. we'll use the
+ same ctx->var, which may already contain the value. */
+ str_append_c(ctx->var, '\0');
+ pos = str_len(ctx->var);
+
+ tab = auth_request_get_var_expand_table(
+ ctx->ldap_request->auth_request, NULL);
+ if (var_expand_with_funcs(ctx->var, field->name, tab,
+ ldap_var_funcs_table, ctx, &error) <= 0) {
+ e_warning(authdb_event(ctx->ldap_request->auth_request),
+ "Failed to expand %s: %s", field->name, error);
+ }
+ *name_r = str_c(ctx->var) + pos;
+ }
+
+ if (ctx->skip_null_values && (*values_r)[0] == NULL) {
+ /* no values. don't confuse the caller with this reply. */
+ return db_ldap_result_iterate_next(ctx, name_r, values_r);
+ }
+ return TRUE;
+}
+
+static void
+db_ldap_result_finish_debug(struct db_ldap_result_iterate_context *ctx)
+{
+ struct hash_iterate_context *iter;
+ char *name;
+ struct db_ldap_value *value;
+ unsigned int unused_count = 0;
+ size_t orig_len;
+
+ if (ctx->ldap_request->result_logged)
+ return;
+
+ orig_len = str_len(ctx->debug);
+ if (orig_len == 0) {
+ e_debug(authdb_event(ctx->ldap_request->auth_request),
+ "no fields returned by the server");
+ return;
+ }
+
+ str_append(ctx->debug, "; ");
+
+ iter = hash_table_iterate_init(ctx->ldap_attrs);
+ while (hash_table_iterate(iter, ctx->ldap_attrs, &name, &value)) {
+ if (!value->used) {
+ str_printfa(ctx->debug, "%s,", name);
+ unused_count++;
+ }
+ }
+ hash_table_iterate_deinit(&iter);
+
+ if (unused_count == 0)
+ str_truncate(ctx->debug, orig_len);
+ else {
+ str_truncate(ctx->debug, str_len(ctx->debug)-1);
+ str_append(ctx->debug, " unused");
+ }
+ e_debug(authdb_event(ctx->ldap_request->auth_request),
+ "result: %s", str_c(ctx->debug) + 1);
+
+ ctx->ldap_request->result_logged = TRUE;
+}
+
+void db_ldap_result_iterate_deinit(struct db_ldap_result_iterate_context **_ctx)
+{
+ struct db_ldap_result_iterate_context *ctx = *_ctx;
+
+ *_ctx = NULL;
+
+ if (ctx->debug != NULL)
+ db_ldap_result_finish_debug(ctx);
+ hash_table_destroy(&ctx->ldap_attrs);
+ pool_unref(&ctx->pool);
+}
+
+static const char *parse_setting(const char *key, const char *value,
+ struct ldap_connection *conn)
+{
+ return parse_setting_from_defs(conn->pool, setting_defs,
+ &conn->set, key, value);
+}
+
+static struct ldap_connection *ldap_conn_find(const char *config_path)
+{
+ struct ldap_connection *conn;
+
+ for (conn = ldap_connections; conn != NULL; conn = conn->next) {
+ if (strcmp(conn->config_path, config_path) == 0)
+ return conn;
+ }
+
+ return NULL;
+}
+
+struct ldap_connection *db_ldap_init(const char *config_path, bool userdb)
+{
+ struct ldap_connection *conn;
+ const char *str, *error;
+ pool_t pool;
+
+ /* see if it already exists */
+ conn = ldap_conn_find(config_path);
+ if (conn != NULL) {
+ if (userdb)
+ conn->userdb_used = TRUE;
+ conn->refcount++;
+ return conn;
+ }
+
+ if (*config_path == '\0')
+ i_fatal("LDAP: Configuration file path not given");
+
+ pool = pool_alloconly_create("ldap_connection", 1024);
+ conn = p_new(pool, struct ldap_connection, 1);
+ conn->pool = pool;
+ conn->refcount = 1;
+
+ conn->userdb_used = userdb;
+ conn->conn_state = LDAP_CONN_STATE_DISCONNECTED;
+ conn->default_bind_msgid = -1;
+ conn->fd = -1;
+ conn->config_path = p_strdup(pool, config_path);
+ conn->set = default_ldap_settings;
+ if (!settings_read_nosection(config_path, parse_setting, conn, &error))
+ i_fatal("ldap %s: %s", config_path, error);
+
+ if (conn->set.base == NULL)
+ i_fatal("LDAP %s: No base given", config_path);
+
+ if (conn->set.uris == NULL && conn->set.hosts == NULL)
+ i_fatal("LDAP %s: No uris or hosts set", config_path);
+#ifndef LDAP_HAVE_INITIALIZE
+ if (conn->set.uris != NULL) {
+ i_fatal("LDAP %s: uris set, but Dovecot compiled without support for LDAP uris "
+ "(ldap_initialize() not supported by LDAP library)", config_path);
+ }
+#endif
+#ifndef LDAP_HAVE_START_TLS_S
+ if (conn->set.tls)
+ i_fatal("LDAP %s: tls=yes, but your LDAP library doesn't support TLS", config_path);
+#endif
+#ifndef HAVE_LDAP_SASL
+ if (conn->set.sasl_bind)
+ i_fatal("LDAP %s: sasl_bind=yes but no SASL support compiled in", conn->config_path);
+#endif
+ if (conn->set.ldap_version < 3) {
+ if (conn->set.sasl_bind)
+ i_fatal("LDAP %s: sasl_bind=yes requires ldap_version=3", config_path);
+ if (conn->set.tls)
+ i_fatal("LDAP %s: tls=yes requires ldap_version=3", config_path);
+ }
+#ifdef OPENLDAP_TLS_OPTIONS
+ if (conn->set.tls_require_cert != NULL) {
+ if (tls_require_cert2str(conn->set.tls_require_cert,
+ &conn->set.ldap_tls_require_cert_parsed) < 0)
+ i_fatal("LDAP %s: Unknown tls_require_cert value '%s'",
+ config_path, conn->set.tls_require_cert);
+ }
+#endif
+
+ if (*conn->set.ldaprc_path != '\0') {
+ str = getenv("LDAPRC");
+ if (str != NULL && strcmp(str, conn->set.ldaprc_path) != 0) {
+ i_fatal("LDAP %s: Multiple different ldaprc_path "
+ "settings not allowed (%s and %s)",
+ config_path, str, conn->set.ldaprc_path);
+ }
+ env_put("LDAPRC", conn->set.ldaprc_path);
+ }
+
+ if (deref2str(conn->set.deref, &conn->set.ldap_deref) < 0)
+ i_fatal("LDAP %s: Unknown deref option '%s'", config_path, conn->set.deref);
+ if (scope2str(conn->set.scope, &conn->set.ldap_scope) < 0)
+ i_fatal("LDAP %s: Unknown scope option '%s'", config_path, conn->set.scope);
+
+ conn->event = event_create(auth_event);
+ event_set_append_log_prefix(conn->event, t_strdup_printf(
+ "ldap(%s): ", conn->config_path));
+
+ i_array_init(&conn->request_array, 512);
+ conn->request_queue = aqueue_init(&conn->request_array.arr);
+
+ conn->next = ldap_connections;
+ ldap_connections = conn;
+
+ db_ldap_init_ld(conn);
+ return conn;
+}
+
+void db_ldap_unref(struct ldap_connection **_conn)
+{
+ struct ldap_connection *conn = *_conn;
+ struct ldap_connection **p;
+
+ *_conn = NULL;
+ i_assert(conn->refcount >= 0);
+ if (--conn->refcount > 0)
+ return;
+
+ for (p = &ldap_connections; *p != NULL; p = &(*p)->next) {
+ if (*p == conn) {
+ *p = conn->next;
+ break;
+ }
+ }
+
+ db_ldap_abort_requests(conn, UINT_MAX, 0, FALSE, "Shutting down");
+ i_assert(conn->pending_count == 0);
+ db_ldap_conn_close(conn);
+ i_assert(conn->to == NULL);
+
+ array_free(&conn->request_array);
+ aqueue_deinit(&conn->request_queue);
+
+ event_unref(&conn->event);
+ pool_unref(&conn->pool);
+}
+
+#ifndef BUILTIN_LDAP
+/* Building a plugin */
+extern struct passdb_module_interface passdb_ldap_plugin;
+extern struct userdb_module_interface userdb_ldap_plugin;
+
+void authdb_ldap_init(void);
+void authdb_ldap_deinit(void);
+
+void authdb_ldap_init(void)
+{
+ passdb_register_module(&passdb_ldap_plugin);
+ userdb_register_module(&userdb_ldap_plugin);
+
+}
+void authdb_ldap_deinit(void)
+{
+ passdb_unregister_module(&passdb_ldap_plugin);
+ userdb_unregister_module(&userdb_ldap_plugin);
+}
+#endif
+
+#endif