diff options
Diffstat (limited to 'src/modules/rlm_ldap')
-rw-r--r-- | src/modules/rlm_ldap/.gitignore | 1 | ||||
-rw-r--r-- | src/modules/rlm_ldap/all.mk.in | 10 | ||||
-rw-r--r-- | src/modules/rlm_ldap/attrmap.c | 390 | ||||
-rw-r--r-- | src/modules/rlm_ldap/clients.c | 263 | ||||
-rw-r--r-- | src/modules/rlm_ldap/config.h.in | 43 | ||||
-rwxr-xr-x | src/modules/rlm_ldap/configure | 4563 | ||||
-rw-r--r-- | src/modules/rlm_ldap/configure.ac | 157 | ||||
-rw-r--r-- | src/modules/rlm_ldap/edir.c | 275 | ||||
-rw-r--r-- | src/modules/rlm_ldap/groups.c | 853 | ||||
-rw-r--r-- | src/modules/rlm_ldap/ldap.c | 1605 | ||||
-rw-r--r-- | src/modules/rlm_ldap/ldap.h | 486 | ||||
-rw-r--r-- | src/modules/rlm_ldap/rlm_ldap.c | 1977 | ||||
-rw-r--r-- | src/modules/rlm_ldap/sasl.c | 194 |
13 files changed, 10817 insertions, 0 deletions
diff --git a/src/modules/rlm_ldap/.gitignore b/src/modules/rlm_ldap/.gitignore new file mode 100644 index 0000000..01a5daa --- /dev/null +++ b/src/modules/rlm_ldap/.gitignore @@ -0,0 +1 @@ +all.mk diff --git a/src/modules/rlm_ldap/all.mk.in b/src/modules/rlm_ldap/all.mk.in new file mode 100644 index 0000000..daa64ec --- /dev/null +++ b/src/modules/rlm_ldap/all.mk.in @@ -0,0 +1,10 @@ +TARGETNAME := @targetname@ + +ifneq "$(TARGETNAME)" "" +TARGET := $(TARGETNAME).a +endif + +SOURCES := $(TARGETNAME).c attrmap.c ldap.c clients.c groups.c edir.c @SASL@ + +SRC_CFLAGS := @mod_cflags@ +TGT_LDLIBS := @mod_ldflags@ diff --git a/src/modules/rlm_ldap/attrmap.c b/src/modules/rlm_ldap/attrmap.c new file mode 100644 index 0000000..1e56247 --- /dev/null +++ b/src/modules/rlm_ldap/attrmap.c @@ -0,0 +1,390 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file ldap.c + * @brief Functions for mapping between LDAP and FreeRADIUS attributes. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013 Network RADIUS SARL <info@networkradius.com> + * @copyright 2013 The FreeRADIUS Server Project. + */ + +#include <freeradius-devel/rad_assert.h> +#include "ldap.h" + +/** Callback for map_to_request + * + * Performs exactly the same job as map_to_vp, but pulls attribute values from LDAP entries + * + * @see map_to_vp + */ +int rlm_ldap_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx) +{ + rlm_ldap_result_t *self = uctx; + VALUE_PAIR *head = NULL, *vp; + vp_cursor_t cursor; + int i; + + fr_cursor_init(&cursor, &head); + + switch (map->lhs->type) { + /* + * This is a mapping in the form of: + * <list>: += <ldap attr> + * + * Where <ldap attr> is: + * <list>:<attr> <op> <value> + * + * It is to allow for legacy installations which stored + * RADIUS control and reply attributes in separate LDAP + * attributes. + */ + case TMPL_TYPE_LIST: + for (i = 0; i < self->count; i++) { + vp_map_t *attr = NULL; + + RDEBUG3("Parsing valuepair string \"%s\"", self->values[i]->bv_val); + if (map_afrom_attr_str(ctx, &attr, self->values[i]->bv_val, + map->lhs->tmpl_request, map->lhs->tmpl_list, + REQUEST_CURRENT, PAIR_LIST_REQUEST) < 0) { + RWDEBUG("Failed parsing \"%s\" as valuepair (%s), skipping...", fr_strerror(), + self->values[i]->bv_val); + continue; + } + + if (attr->lhs->tmpl_request != map->lhs->tmpl_request) { + RWDEBUG("valuepair \"%s\" has conflicting request qualifier (%s vs %s), skipping...", + self->values[i]->bv_val, + fr_int2str(request_refs, attr->lhs->tmpl_request, "<INVALID>"), + fr_int2str(request_refs, map->lhs->tmpl_request, "<INVALID>")); + next_pair: + talloc_free(attr); + continue; + } + + if ((attr->lhs->tmpl_list != map->lhs->tmpl_list)) { + RWDEBUG("valuepair \"%s\" has conflicting list qualifier (%s vs %s), skipping...", + self->values[i]->bv_val, + fr_int2str(pair_lists, attr->lhs->tmpl_list, "<INVALID>"), + fr_int2str(pair_lists, map->lhs->tmpl_list, "<INVALID>")); + goto next_pair; + } + + if (map_to_vp(request, &vp, request, attr, NULL) < 0) { + RWDEBUG("Failed creating attribute for valuepair \"%s\", skipping...", + self->values[i]->bv_val); + goto next_pair; + } + + fr_cursor_merge(&cursor, vp); + talloc_free(attr); + + /* + * Only process the first value, unless the operator is += + */ + if (map->op != T_OP_ADD) break; + } + break; + + /* + * Iterate over all the retrieved values, + * don't try and be clever about changing operators + * just use whatever was set in the attribute map. + */ + case TMPL_TYPE_ATTR: + for (i = 0; i < self->count; i++) { + if (!self->values[i]->bv_len) continue; + + RDEBUG3("Parsing %s = %s", map->lhs->name, self->values[i]->bv_val); + + vp = fr_pair_afrom_da(ctx, map->lhs->tmpl_da); + rad_assert(vp); + + if (fr_pair_value_from_str(vp, self->values[i]->bv_val, self->values[i]->bv_len) < 0) { + char *escaped; + + escaped = fr_aprints(vp, self->values[i]->bv_val, self->values[i]->bv_len, '"'); + RWDEBUG("Failed parsing value \"%s\" for attribute %s: %s", escaped, + map->lhs->tmpl_da->name, fr_strerror()); + + talloc_free(vp); /* also frees escaped */ + continue; + } + + vp->op = map->op; + fr_cursor_insert(&cursor, vp); + + /* + * Only process the first value, unless the operator is += + */ + if (map->op != T_OP_ADD) break; + } + break; + + default: + rad_assert(0); + } + + *out = head; + + return 0; +} + +int rlm_ldap_map_verify(vp_map_t *map, void *instance) +{ + rlm_ldap_t *inst = instance; + + /* + * Destinations where we can put the VALUE_PAIRs we + * create using LDAP values. + */ + switch (map->lhs->type) { + case TMPL_TYPE_LIST: + case TMPL_TYPE_ATTR: + break; + + case TMPL_TYPE_ATTR_UNDEFINED: + cf_log_err(map->ci, "Unknown attribute %s", map->lhs->tmpl_unknown_name); + return -1; + + default: + cf_log_err(map->ci, "Left hand side of map must be an attribute or list, not a %s", + fr_int2str(tmpl_names, map->lhs->type, "<INVALID>")); + return -1; + } + + /* + * Sources we can use to get the name of the attribute + * we're retrieving from LDAP. + */ + switch (map->rhs->type) { + case TMPL_TYPE_XLAT: + case TMPL_TYPE_ATTR: + case TMPL_TYPE_EXEC: + case TMPL_TYPE_LITERAL: + break; + + case TMPL_TYPE_ATTR_UNDEFINED: + cf_log_err(map->ci, "Unknown attribute %s", map->rhs->tmpl_unknown_name); + return -1; + + default: + cf_log_err(map->ci, "Right hand side of map must be an xlat, attribute, exec, or literal, not a %s", + fr_int2str(tmpl_names, map->rhs->type, "<INVALID>")); + return -1; + } + + /* + * Only =, :=, += and -= operators are supported for LDAP mappings. + */ + switch (map->op) { + case T_OP_SET: + case T_OP_EQ: + case T_OP_SUB: + case T_OP_ADD: + break; + + default: + cf_log_err(map->ci, "Operator \"%s\" not allowed for LDAP mappings", + fr_int2str(fr_tokens, map->op, "<INVALID>")); + return -1; + } + + /* + * Be smart about whether we warn the user about missing passwords. + * If there are no password attributes in the mapping, then the user's either an idiot + * and has no idea what they're doing, or they're authenticating the user using a different + * method. + */ + if (!inst->expect_password && (map->lhs->type == TMPL_TYPE_ATTR) && map->lhs->tmpl_da) { + switch (map->lhs->tmpl_da->attr) { + case PW_CLEARTEXT_PASSWORD: + case PW_NT_PASSWORD: + case PW_USER_PASSWORD: + case PW_PASSWORD_WITH_HEADER: + case PW_CRYPT_PASSWORD: + /* + * Because you just know someone is going to map NT-Password to the + * request list, and then complain it's not working... + */ + if (map->lhs->tmpl_list != PAIR_LIST_CONTROL) { + LDAP_DBGW("Mapping LDAP (%s) attribute to \"known good\" password attribute " + "(%s) in %s list. This is probably *NOT* the correct list, " + "you should prepend \"control:\" to password attribute " + "(control:%s)", + map->rhs->name, map->lhs->tmpl_da->name, + fr_int2str(pair_lists, map->lhs->tmpl_list, "<invalid>"), + map->lhs->tmpl_da->name); + } + + inst->expect_password = true; + default: + break; + } + } + + return 0; +} + +/** Expand values in an attribute map where needed + * + * @param[out] expanded array of attributes. Need not be initialised (we'll initialise). + * @param[in] request The current request. + * @param[in] maps to expand. + * @return + * - 0 on success. + * - -1 on failure. + */ +int rlm_ldap_map_expand(rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps) +{ + vp_map_t const *map; + unsigned int total = 0; + + TALLOC_CTX *ctx = NULL; + char const *attr; + char attr_buff[1024 + 1]; /* X.501 says we need to support at least 1024 chars for attr names */ + + for (map = maps; map != NULL; map = map->next) { + if (tmpl_expand(&attr, attr_buff, sizeof(attr_buff), request, map->rhs, NULL, NULL) < 0) { + RDEBUG("Expansion of LDAP attribute \"%s\" failed", map->rhs->name); + TALLOC_FREE(ctx); + return -1; + } + + /* + * Dynamic value + */ + if (attr == attr_buff) { + if (!ctx) ctx = talloc_new(NULL); + expanded->attrs[total++] = talloc_strdup(ctx, attr_buff); + continue; + } + expanded->attrs[total++] = attr; + } + expanded->attrs[total] = NULL; + expanded->ctx = ctx; /* Freeing this frees any dynamic values */ + expanded->count = total; + expanded->maps = maps; + + return 0; +} + + +/** Convert attribute map into valuepairs + * + * Use the attribute map built earlier to convert LDAP values into valuepairs and insert them into whichever + * list they need to go into. + * + * This is *NOT* atomic, but there's no condition for which we should error out... + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in] handle associated with entry. + * @param[in] expanded attributes (rhs of map). + * @param[in] entry to retrieve attributes from. + * @return + * - Number of maps successfully applied. + * - -1 on failure. + */ +int rlm_ldap_map_do(const rlm_ldap_t *inst, REQUEST *request, LDAP *handle, + rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry) +{ + vp_map_t const *map; + unsigned int total = 0; + int applied = 0; /* How many maps have been applied to the current request */ + + rlm_ldap_result_t result; + char const *name; + + for (map = expanded->maps; map != NULL; map = map->next) { + int ret; + + name = expanded->attrs[total++]; + + /* + * Binary safe + */ + result.values = ldap_get_values_len(handle, entry, name); + if (!result.values) { + RDEBUG3("Attribute \"%s\" not found in LDAP object", name); + + goto next; + } + + /* + * Find out how many values there are for the + * attribute and extract all of them. + */ + result.count = ldap_count_values_len(result.values); + + /* + * If something bad happened, just skip, this is probably + * a case of the dst being incorrect for the current + * request context + */ + ret = map_to_request(request, map, rlm_ldap_map_getvalue, &result); + if (ret == -1) return -1; /* Fail */ + + /* + * How many maps we've processed + */ + applied++; + + next: + ldap_value_free_len(result.values); + } + + + /* + * Retrieve any valuepair attributes from the result, these are generic values specifying + * a radius list, operator and value. + */ + if (inst->valuepair_attr) { + struct berval **values; + int count, i; + + values = ldap_get_values_len(handle, entry, inst->valuepair_attr); + count = ldap_count_values_len(values); + + for (i = 0; i < count; i++) { + vp_map_t *attr; + char *value; + + value = rlm_ldap_berval_to_string(request, values[i]); + RDEBUG3("Parsing attribute string '%s'", value); + if (map_afrom_attr_str(request, &attr, value, + REQUEST_CURRENT, PAIR_LIST_REPLY, + REQUEST_CURRENT, PAIR_LIST_REQUEST) < 0) { + RWDEBUG("Failed parsing '%s' value \"%s\" as valuepair (%s), skipping...", + fr_strerror(), inst->valuepair_attr, value); + talloc_free(value); + continue; + } + if (map_to_request(request, attr, map_to_vp, NULL) < 0) { + RWDEBUG("Failed adding \"%s\" to request, skipping...", value); + } else { + applied++; + } + talloc_free(attr); + talloc_free(value); + } + ldap_value_free_len(values); + } + + return applied; +} diff --git a/src/modules/rlm_ldap/clients.c b/src/modules/rlm_ldap/clients.c new file mode 100644 index 0000000..8654475 --- /dev/null +++ b/src/modules/rlm_ldap/clients.c @@ -0,0 +1,263 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file clients.c + * @brief LDAP module dynamic clients. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013,2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013-2015 The FreeRADIUS Server Project. + */ +#include <freeradius-devel/rad_assert.h> +#include <ctype.h> + +#include "ldap.h" + +/** Iterate over pairs in mapping section recording their values in an array + * + * This array is the list of attributes we retrieve from LDAP, and is NULL + * terminated. + * + * If we hit a CONF_SECTION we recurse and process its CONF_PAIRS too. + * + * @param[out] values array of char pointers. + * @param[in,out] idx records current array offset. + * @param[in] cs to iterate over. + * @return + * - 0 on success. + * - -1 on failure. + */ +static int rlm_ldap_client_get_attrs(char const **values, int *idx, CONF_SECTION const *cs) +{ + CONF_ITEM const *ci; + + for (ci = cf_item_find_next(cs, NULL); + ci != NULL; + ci = cf_item_find_next(cs, ci)) { + char const *value; + + if (cf_item_is_section(ci)) { + if (rlm_ldap_client_get_attrs(values, idx, cf_item_to_section(ci)) < 0) return -1; + continue; + } + + value = cf_pair_value(cf_item_to_pair(ci)); + if (!value) return -1; + + values[(*idx)++] = value; + } + + values[*idx] = NULL; + + return 0; +} + +typedef struct ldap_client_data { + ldap_handle_t *conn; + LDAPMessage *entry; +} ldap_client_data_t; + +static int _get_client_value(char **out, CONF_PAIR const *cp, void *data) +{ + struct berval **values; + ldap_client_data_t *this = data; + + values = ldap_get_values_len(this->conn->handle, this->entry, cf_pair_value(cp)); + if (!values) { + *out = NULL; + return 0; + } + + *out = rlm_ldap_berval_to_string(NULL, values[0]); + ldap_value_free_len(values); + + if (!*out) return -1; + return 0; +} + +/** Load clients from LDAP on server start + * + * @param[in] inst rlm_ldap configuration. + * @param[in] tmpl to use as the base for the new client. + * @param[in] map to load client attribute/LDAP attribute mappings from. + * @return + * - 0 on success. + * - -1 on failure. + */ +int rlm_ldap_client_load(rlm_ldap_t const *inst, CONF_SECTION *tmpl, CONF_SECTION *map) +{ + int ret = 0; + ldap_rcode_t status; + ldap_handle_t *conn = NULL; + + char const **attrs = NULL; + + CONF_PAIR *cp; + int count = 0, idx = 0; + + LDAPMessage *result = NULL; + LDAPMessage *entry; + char *dn = NULL; + + RADCLIENT *c; + + LDAP_DBG("Loading dynamic clients"); + + rad_assert(inst->clientobj_base_dn); + + count = cf_pair_count(map); + count++; + + /* + * Create an array of LDAP attributes to feed to rlm_ldap_search. + */ + attrs = talloc_array(inst, char const *, count); + if (rlm_ldap_client_get_attrs(attrs, &idx, map) < 0) { + talloc_free(attrs); + return -1; + } + + conn = mod_conn_get(inst, NULL); + if (!conn) { + talloc_free(attrs); + return -1; + } + + /* + * Perform all searches as the admin user. + */ + if (conn->rebound) { + status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, + &(conn->inst->admin_sasl), true); + if (status != LDAP_PROC_SUCCESS) { + ret = -1; + goto finish; + } + + rad_assert(conn); + + conn->rebound = false; + } + + status = rlm_ldap_search(&result, inst, NULL, &conn, inst->clientobj_base_dn, inst->clientobj_scope, + inst->clientobj_filter, attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_NO_RESULT: + LDAP_INFO("No clients were found in the directory"); + ret = 0; + goto finish; + + default: + ret = -1; + goto finish; + } + + rad_assert(conn); + entry = ldap_first_entry(conn->handle, result); + if (!entry) { + int ldap_errno; + + ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + LDAP_ERR("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + ret = -1; + goto finish; + } + + do { + ldap_client_data_t data; + + CONF_SECTION *client; + char *id; + + struct berval **values; + + id = dn = ldap_get_dn(conn->handle, entry); + if (!dn) { + int ldap_errno; + + ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + LDAP_ERR("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); + + goto finish; + } + rlm_ldap_normalise_dn(dn, dn); + + cp = cf_pair_find(map, "identifier"); + if (cp) { + values = ldap_get_values_len(conn->handle, entry, cf_pair_value(cp)); + if (values) id = rlm_ldap_berval_to_string(NULL, values[0]); + ldap_value_free_len(values); + } + + /* + * Iterate over mapping sections + */ + client = tmpl ? cf_section_dup(NULL, tmpl, "client", id, true) : + cf_section_alloc(NULL, "client", id); + + data.conn = conn; + data.entry = entry; + + if (client_map_section(client, map, _get_client_value, &data) < 0) { + talloc_free(client); + ret = -1; + goto finish; + } + + /* + *@todo these should be parented from something + */ + c = client_afrom_cs(NULL, client, false, false); + if (!c) { + talloc_free(client); + ret = -1; + goto finish; + } + + /* + * Client parents the CONF_SECTION which defined it + */ + talloc_steal(c, client); + + if (!client_add(NULL, c)) { + LDAP_ERR("Failed to add client \"%s\", possible duplicate?", dn); + ret = -1; + client_free(c); + goto finish; + } + + LDAP_DBG("Client \"%s\" added", dn); + + ldap_memfree(dn); + dn = NULL; + } while ((entry = ldap_next_entry(conn->handle, entry))); + +finish: + talloc_free(attrs); + if (dn) ldap_memfree(dn); + if (result) ldap_msgfree(result); + + mod_conn_release(inst, conn); + + return ret; +} + diff --git a/src/modules/rlm_ldap/config.h.in b/src/modules/rlm_ldap/config.h.in new file mode 100644 index 0000000..8ef08da --- /dev/null +++ b/src/modules/rlm_ldap/config.h.in @@ -0,0 +1,43 @@ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Define to 1 if you have the `ldap_create_sort_control' function. */ +#undef HAVE_LDAP_CREATE_SORT_CONTROL + +/* Define to 1 if you have the `ldap_create_sort_keylist' function. */ +#undef HAVE_LDAP_CREATE_SORT_KEYLIST + +/* Define to 1 if you have the `ldap_free_sort_keylist' function. */ +#undef HAVE_LDAP_FREE_SORT_KEYLIST + +/* Define to 1 if you have the `ldap_initialize' function. */ +#undef HAVE_LDAP_INITIALIZE + +/* Define to 1 if you have the `ldap_is_ldap_url' function. */ +#undef HAVE_LDAP_IS_LDAP_URL + +/* Define to 1 if you have the `ldap_sasl_interactive_bind' function. */ +#undef HAVE_LDAP_SASL_INTERACTIVE_BIND + +/* Define to 1 if you have the `ldap_set_rebind_proc' function. */ +#undef HAVE_LDAP_SET_REBIND_PROC + +/* Define to 1 if you have the `ldap_start_tls_s' function. */ +#undef HAVE_LDAP_START_TLS_S + +/* Define to 1 if you have the `ldap_unbind_ext_s' function. */ +#undef HAVE_LDAP_UNBIND_EXT_S + +/* Define to 1 if you have the `ldap_url_desc2str' function. */ +#undef HAVE_LDAP_URL_DESC2STR + +/* Define to 1 if you have the `ldap_url_parse' function. */ +#undef HAVE_LDAP_URL_PARSE + +/* Number of arguments the rebind procedure takes */ +#undef LDAP_SET_REBIND_PROC_ARGS + +/* Build the server with support for Novell eDir Universal Password */ +#undef WITH_EDIR + +/* Build the server with support for SASL binds */ +#undef WITH_SASL diff --git a/src/modules/rlm_ldap/configure b/src/modules/rlm_ldap/configure new file mode 100755 index 0000000..4d0bd75 --- /dev/null +++ b/src/modules/rlm_ldap/configure @@ -0,0 +1,4563 @@ +#! /bin/sh +# From configure.ac Revision. +# Guess values for system-dependent variables and create Makefiles. +# Generated by GNU Autoconf 2.69. +# +# +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +# Use a proper internal environment variable to ensure we don't fall + # into an infinite loop, continuously re-executing ourselves. + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then + _as_can_reexec=no; export _as_can_reexec; + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +as_fn_exit 255 + fi + # We don't want this to propagate to other subprocesses. + { _as_can_reexec=; unset _as_can_reexec;} +if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi +" + as_required="as_fn_return () { (exit \$1); } +as_fn_success () { as_fn_return 0; } +as_fn_failure () { as_fn_return 1; } +as_fn_ret_success () { return 0; } +as_fn_ret_failure () { return 1; } + +exitcode=0 +as_fn_success || { exitcode=1; echo as_fn_success failed.; } +as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : + +else + exitcode=1; echo positional parameters were not saved. +fi +test x\$exitcode = x0 || exit 1 +test -x / || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && + test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1" + if (eval "$as_required") 2>/dev/null; then : + as_have_required=yes +else + as_have_required=no +fi + if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : + +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_found=false +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + as_found=: + case $as_dir in #( + /*) + for as_base in sh bash ksh sh5; do + # Try only shells that exist, to save several forks. + as_shell=$as_dir/$as_base + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : + CONFIG_SHELL=$as_shell as_have_required=yes + if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : + break 2 +fi +fi + done;; + esac + as_found=false +done +$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : + CONFIG_SHELL=$SHELL as_have_required=yes +fi; } +IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : + export CONFIG_SHELL + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 +fi + + if test x$as_have_required = xno; then : + $as_echo "$0: This script requires a shell more modern than all" + $as_echo "$0: the shells that I found on your system." + if test x${ZSH_VERSION+set} = xset ; then + $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" + $as_echo "$0: be upgraded to zsh 4.3.4 or later." + else + $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, +$0: including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." + fi + exit 1 +fi +fi +fi +SHELL=${CONFIG_SHELL-/bin/sh} +export SHELL +# Unset more variables known to interfere with behavior of common tools. +CLICOLOR_FORCE= GREP_OPTIONS= +unset CLICOLOR_FORCE GREP_OPTIONS + +## --------------------- ## +## M4sh Shell Functions. ## +## --------------------- ## +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + + + as_lineno_1=$LINENO as_lineno_1a=$LINENO + as_lineno_2=$LINENO as_lineno_2a=$LINENO + eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && + test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { + # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have + # already done that, so ensure we don't try to do so again and fall + # in an infinite loop. This has already happened in practice. + _as_can_reexec=no; export _as_can_reexec + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +test -n "$DJDIR" || exec 7<&0 </dev/null +exec 6>&1 + +# Name of the host. +# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +# +# Initializations. +# +ac_default_prefix=/usr/local +ac_clean_files= +ac_config_libobj_dir=. +LIBOBJS= +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= + +# Identity of this package. +PACKAGE_NAME= +PACKAGE_TARNAME= +PACKAGE_VERSION= +PACKAGE_STRING= +PACKAGE_BUGREPORT= +PACKAGE_URL= + +ac_unique_file="rlm_ldap.c" +ac_subst_vars='LTLIBOBJS +LIBOBJS +targetname +SASL +mod_cflags +mod_ldflags +OBJEXT +EXEEXT +ac_ct_CC +CPPFLAGS +LDFLAGS +CFLAGS +CC +target_alias +host_alias +build_alias +LIBS +ECHO_T +ECHO_N +ECHO_C +DEFS +mandir +localedir +libdir +psdir +pdfdir +dvidir +htmldir +infodir +docdir +oldincludedir +includedir +runstatedir +localstatedir +sharedstatedir +sysconfdir +datadir +datarootdir +libexecdir +sbindir +bindir +program_transform_name +prefix +exec_prefix +PACKAGE_URL +PACKAGE_BUGREPORT +PACKAGE_STRING +PACKAGE_VERSION +PACKAGE_TARNAME +PACKAGE_NAME +PATH_SEPARATOR +SHELL' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +with_rlm_ldap +with_rlm_ldap_lib_dir +with_rlm_ldap_include_dir +' + ac_precious_vars='build_alias +host_alias +target_alias +CC +CFLAGS +LDFLAGS +LIBS +CPPFLAGS' + + +# Initialize some variables set by options. +ac_init_help= +ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= +# The variables have the same names as the options, with +# dashes changed to underlines. +cache_file=/dev/null +exec_prefix=NONE +no_create= +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +verbose= +x_includes=NONE +x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. +# (The list follows the same order as the GNU Coding Standards.) +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datarootdir='${prefix}/share' +datadir='${datarootdir}' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' +includedir='${prefix}/include' +oldincludedir='/usr/include' +docdir='${datarootdir}/doc/${PACKAGE}' +infodir='${datarootdir}/info' +htmldir='${docdir}' +dvidir='${docdir}' +pdfdir='${docdir}' +psdir='${docdir}' +libdir='${exec_prefix}/lib' +localedir='${datarootdir}/locale' +mandir='${datarootdir}/man' + +ac_prev= +ac_dashdash= +for ac_option +do + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval $ac_prev=\$ac_option + ac_prev= + continue + fi + + case $ac_option in + *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *=) ac_optarg= ;; + *) ac_optarg=yes ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case $ac_dashdash$ac_option in + --) + ac_dashdash=yes ;; + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir=$ac_optarg ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build_alias ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build_alias=$ac_optarg ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; + + -datadir | --datadir | --datadi | --datad) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=*) + datadir=$ac_optarg ;; + + -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ + | --dataroo | --dataro | --datar) + ac_prev=datarootdir ;; + -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ + | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) + datarootdir=$ac_optarg ;; + + -disable-* | --disable-*) + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; + + -docdir | --docdir | --docdi | --doc | --do) + ac_prev=docdir ;; + -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) + docdir=$ac_optarg ;; + + -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) + ac_prev=dvidir ;; + -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) + dvidir=$ac_optarg ;; + + -enable-* | --enable-*) + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix=$ac_optarg ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; + + -host | --host | --hos | --ho) + ac_prev=host_alias ;; + -host=* | --host=* | --hos=* | --ho=*) + host_alias=$ac_optarg ;; + + -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) + ac_prev=htmldir ;; + -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ + | --ht=*) + htmldir=$ac_optarg ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir=$ac_optarg ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir=$ac_optarg ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir=$ac_optarg ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir=$ac_optarg ;; + + -localedir | --localedir | --localedi | --localed | --locale) + ac_prev=localedir ;; + -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) + localedir=$ac_optarg ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst | --locals) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) + localstatedir=$ac_optarg ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir=$ac_optarg ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir=$ac_optarg ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix=$ac_optarg ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix=$ac_optarg ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix=$ac_optarg ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name=$ac_optarg ;; + + -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) + ac_prev=pdfdir ;; + -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) + pdfdir=$ac_optarg ;; + + -psdir | --psdir | --psdi | --psd | --ps) + ac_prev=psdir ;; + -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) + psdir=$ac_optarg ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir=$ac_optarg ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir=$ac_optarg ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site=$ac_optarg ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir=$ac_optarg ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir=$ac_optarg ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target_alias ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target_alias=$ac_optarg ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; + + -with-* | --with-*) + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; + + -without-* | --without-*) + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes=$ac_optarg ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries=$ac_optarg ;; + + -*) as_fn_error $? "unrecognized option: \`$ac_option' +Try \`$0 --help' for more information" + ;; + + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + case $ac_envvar in #( + '' | [0-9]* | *[!_$as_cr_alnum]* ) + as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; + esac + eval $ac_envvar=\$ac_optarg + export $ac_envvar ;; + + *) + # FIXME: should be removed in autoconf 3.0. + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" + ;; + + esac +done + +if test -n "$ac_prev"; then + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + as_fn_error $? "missing argument to $ac_option" +fi + +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; + *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. +for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ + libdir localedir mandir runstatedir +do + eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. + case $ac_val in + [\\/$]* | ?:[\\/]* ) continue;; + NONE | '' ) case $ac_var in *prefix ) continue;; esac;; + esac + as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" +done + +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null + + +ac_pwd=`pwd` && test -n "$ac_pwd" && +ac_ls_di=`ls -di .` && +ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || + as_fn_error $? "working directory cannot be determined" +test "X$ac_ls_di" = "X$ac_pwd_ls_di" || + as_fn_error $? "pwd does not report name of working directory" + + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then the parent directory. + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + srcdir=$ac_confdir + if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r "$srcdir/$ac_unique_file"; then + test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." + as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" +fi +ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_abs_confdir=`( + cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" + pwd)` +# When building in place, set srcdir=. +if test "$ac_abs_confdir" = "$ac_pwd"; then + srcdir=. +fi +# Remove unnecessary trailing slashes from srcdir. +# Double slashes in file names in object file debugging info +# mess up M-x gdb in Emacs. +case $srcdir in +*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +esac +for ac_var in $ac_precious_vars; do + eval ac_env_${ac_var}_set=\${${ac_var}+set} + eval ac_env_${ac_var}_value=\$${ac_var} + eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} + eval ac_cv_env_${ac_var}_value=\$${ac_var} +done + +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures this package to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking ...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] +_ACEOF + + cat <<\_ACEOF +_ACEOF +fi + +if test -n "$ac_init_help"; then + + cat <<\_ACEOF + +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --without-rlm_ldap build without LDAP support + --with-rlm-ldap-lib-dir=DIR directory for LDAP library files + --with-rlm-ldap-include-dir=DIR directory for LDAP include files + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a + nonstandard directory <lib dir> + LIBS libraries to pass to the linker, e.g. -l<library> + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if + you have headers in a nonstandard directory <include dir> + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +Report bugs to the package provider. +_ACEOF +ac_status=$? +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + cd "$ac_dir" || { ac_status=$?; continue; } + # Check for guested configure. + if test -f "$ac_srcdir/configure.gnu"; then + echo && + $SHELL "$ac_srcdir/configure.gnu" --help=recursive + elif test -f "$ac_srcdir/configure"; then + echo && + $SHELL "$ac_srcdir/configure" --help=recursive + else + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi || ac_status=$? + cd "$ac_pwd" || { ac_status=$?; break; } + done +fi + +test -n "$ac_init_help" && exit $ac_status +if $ac_init_version; then + cat <<\_ACEOF +configure +generated by GNU Autoconf 2.69 + +Copyright (C) 2012 Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit +fi + +## ------------------------ ## +## Autoconf initialization. ## +## ------------------------ ## + +# ac_fn_c_try_compile LINENO +# -------------------------- +# Try to compile conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext + if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + +# ac_fn_c_check_func LINENO FUNC VAR +# ---------------------------------- +# Tests whether FUNC exists, setting the cache variable VAR accordingly +ac_fn_c_check_func () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Define $2 to an innocuous variant, in case <limits.h> declares $2. + For example, HP-UX 11i <limits.h> declares gettimeofday. */ +#define $2 innocuous_$2 + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $2 (); below. + Prefer <limits.h> to <assert.h> if __STDC__ is defined, since + <limits.h> exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include <limits.h> +#else +# include <assert.h> +#endif + +#undef $2 + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $2 (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$2 || defined __stub___$2 +choke me +#endif + +int +main () +{ +return $2 (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_func +cat >config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by $as_me, which was +generated by GNU Autoconf 2.69. Invocation command line was + + $ $0 $@ + +_ACEOF +exec 5>>config.log +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" + done +IFS=$as_save_IFS + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; + 2) + as_fn_append ac_configure_args1 " '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + as_fn_append ac_configure_args " '$ac_arg'" + ;; + esac + done +done +{ ac_configure_args0=; unset ac_configure_args0;} +{ ac_configure_args1=; unset ac_configure_args1;} + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + $as_echo "## ---------------- ## +## Cache variables. ## +## ---------------- ##" + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo + + $as_echo "## ----------------- ## +## Output variables. ## +## ----------------- ##" + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + + if test -n "$ac_subst_files"; then + $as_echo "## ------------------- ## +## File substitutions. ## +## ------------------- ##" + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi + + if test -s confdefs.h; then + $as_echo "## ----------- ## +## confdefs.h. ## +## ----------- ##" + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +$as_echo "/* confdefs.h */" > confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_URL "$PACKAGE_URL" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + # We do not want a PATH search for config.site. + case $CONFIG_SITE in #(( + -*) ac_site_file1=./$CONFIG_SITE;; + */*) ac_site_file1=$CONFIG_SITE;; + *) ac_site_file1=./$CONFIG_SITE;; + esac +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site +else + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site +fi +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" \ + || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "failed to load site script $ac_site_file +See \`config.log' for more details" "$LINENO" 5; } + fi +done + +if test -r "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) as_fn_append ac_configure_args " '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +fi +## -------------------- ## +## Main body of script. ## +## -------------------- ## + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + + + + +# Check whether --with-rlm_ldap was given. +if test "${with_rlm_ldap+set}" = set; then : + withval=$with_rlm_ldap; +fi + + + +fail= +SMART_LIBS= +SMART_CLFAGS= +SASL= + +if test x$with_rlm_ldap != xno; then + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +else + CC="$ac_cv_prog_CC" +fi + +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + ac_prog_rejected=no +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# != 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" + fi +fi +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl.exe + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl.exe +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_CC" && break +done + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +fi + +fi + + +test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "no acceptable C compiler found in \$PATH +See \`config.log' for more details" "$LINENO" 5; } + +# Provide some information about the compiler. +$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 +for ac_option in --version -v -V -qversion; do + { { ac_try="$ac_compiler $ac_option >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compiler $ac_option >&5") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + sed '10a\ +... rest of stderr output deleted ... + 10q' conftest.err >conftest.er1 + cat conftest.er1 >&5 + fi + rm -f conftest.er1 conftest.err + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } +done + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { { ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi +if test -z "$ac_file"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "C compiler cannot create executables +See \`config.log' for more details" "$LINENO" 5; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +ac_exeext=$ac_cv_exeext + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest conftest$ac_cv_exeext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdio.h> +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details" "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if ${ac_cv_objext+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of object files: cannot compile +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +if ${ac_cv_c_compiler_gnu+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_compiler_gnu=yes +else + ac_compiler_gnu=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } +if ${ac_cv_prog_cc_g+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_save_c_werror_flag=$ac_c_werror_flag + ac_c_werror_flag=yes + ac_cv_prog_cc_g=no + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +else + CFLAGS="" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + ac_c_werror_flag=$ac_save_c_werror_flag + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_c_werror_flag=$ac_save_c_werror_flag +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } +if test "$ac_test_CFLAGS" = set; then + CFLAGS=$ac_save_CFLAGS +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +if ${ac_cv_prog_cc_c89+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c89=no +ac_save_CC=$CC +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdarg.h> +#include <stdio.h> +struct stat; +/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +struct buf { int x; }; +FILE * (*rcsopen) (struct buf *, struct stat *, int); +static char *e (p, i) + char **p; + int i; +{ + return p[i]; +} +static char *f (char * (*g) (char **, int), char **p, ...) +{ + char *s; + va_list v; + va_start (v,p); + s = g (p, va_arg (v,int)); + va_end (v); + return s; +} + +/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has + function prototypes and stuff, but not '\xHH' hex character constants. + These don't provoke an error unfortunately, instead are silently treated + as 'x'. The following induces an error, until -std is added to get + proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an + array size at least. It's necessary to write '\x00'==0 to get something + that's true only with -std. */ +int osf4_cc_array ['\x00' == 0 ? 1 : -1]; + +/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters + inside strings and character constants. */ +#define FOO(x) 'x' +int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; + +int test (int i, double x); +struct s1 {int (*f) (int a);}; +struct s2 {int (*f) (double a);}; +int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +int argc; +char **argv; +int +main () +{ +return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; + ; + return 0; +} +_ACEOF +for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ + -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +do + CC="$ac_save_CC $ac_arg" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_c89=$ac_arg +fi +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c89" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c89" in + x) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c89" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +esac +if test "x$ac_cv_prog_cc_c89" != xno; then : + +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + rlm_ldap_lib_dir= + +# Check whether --with-rlm-ldap-lib-dir was given. +if test "${with_rlm_ldap_lib_dir+set}" = set; then : + withval=$with_rlm_ldap_lib_dir; case "$withval" in + no) + as_fn_error $? "Need rlm-ldap-lib-dir" "$LINENO" 5 + ;; + yes) + ;; + *) + rlm_ldap_lib_dir="$withval" + ;; + esac + +fi + + + rlm_ldap_include_dir= + +# Check whether --with-rlm-ldap-include-dir was given. +if test "${with_rlm_ldap_include_dir+set}" = set; then : + withval=$with_rlm_ldap_include_dir; case "$withval" in + no) + as_fn_error $? "Need rlm-ldap-include-dir" "$LINENO" 5 + ;; + yes) + ;; + *) + rlm_ldap_include_dir="$withval" + ;; + esac + +fi + + + + smart_try_dir=$rlm_ldap_lib_dir + + + +sm_lib_safe=`echo "ldap" | sed 'y%./+-%__p_%'` +sm_func_safe=`echo "ldap_init" | sed 'y%./+-%__p_%'` + +old_LIBS="$LIBS" +old_CPPFLAGS="$CPPFLAGS" +smart_lib= +smart_ldflags= +smart_lib_dir= + +if test "x$smart_try_dir" != "x"; then + for try in $smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap in $try" >&5 +$as_echo_n "checking for ldap_init in -lldap in $try... " >&6; } + LIBS="-lldap $old_LIBS" + CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char ldap_init(); +int +main () +{ +ldap_init() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lldap" + smart_ldflags="-L$try -Wl,-rpath,$try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + LIBS="$old_LIBS" + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_lib" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap" >&5 +$as_echo_n "checking for ldap_init in -lldap... " >&6; } + LIBS="-lldap $old_LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char ldap_init(); +int +main () +{ +ldap_init() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lldap" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$old_LIBS" +fi + +if test "x$smart_lib" = "x"; then + for try in /usr/local/lib /opt/lib; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap in $try" >&5 +$as_echo_n "checking for ldap_init in -lldap in $try... " >&6; } + LIBS="-lldap $old_LIBS" + CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char ldap_init(); +int +main () +{ +ldap_init() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lldap" + smart_ldflags="-L$try -Wl,-rpath,$try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + LIBS="$old_LIBS" + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_lib" != "x"; then + eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" + LIBS="$smart_ldflags $smart_lib $old_LIBS" + SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +fi + + if test "x$ac_cv_lib_ldap_ldap_init" != "xyes"; then + fail="$fail libldap" + fi + + + smart_try_dir=$rlm_ldap_include_dir + + +ac_safe=`echo "ldap.h" | sed 'y%./+-%__pm%'` +old_CPPFLAGS="$CPPFLAGS" +smart_include= +smart_include_dir="/usr/local/include /opt/include" + +_smart_try_dir= +_smart_include_dir= + +for _prefix in $smart_prefix ""; do + for _dir in $smart_try_dir; do + _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" + done + + for _dir in $smart_include_dir; do + _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" + done +done + +if test "x$_smart_try_dir" != "x"; then + for try in $_smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap.h in $try" >&5 +$as_echo_n "checking for ldap.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <ldap.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" = "x"; then + for _prefix in $smart_prefix; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/ldap.h" >&5 +$as_echo_n "checking for ${_prefix}/ldap.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <ldap.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem ${_prefix}/" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +fi + +if test "x$smart_include" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap.h" >&5 +$as_echo_n "checking for ldap.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <ldap.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include=" " + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + for try in $_smart_include_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap.h in $try" >&5 +$as_echo_n "checking for ldap.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <ldap.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" != "x"; then + eval "ac_cv_header_$ac_safe=yes" + CPPFLAGS="$smart_include $old_CPPFLAGS" + SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +fi + +smart_prefix= + + if test "$ac_cv_header_ldap_h" != "yes"; then + fail="$fail ldap.h" + fi + + + if test "x$fail" = "x"; then + for ac_func in ldap_sasl_interactive_bind \ + ldap_unbind_ext_s \ + ldap_start_tls_s \ + ldap_initialize \ + ldap_set_rebind_proc \ + ldap_create_sort_control \ + ldap_create_sort_keylist \ + ldap_free_sort_keylist \ + ldap_url_parse \ + ldap_is_ldap_url \ + ldap_url_desc2str + +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ldap_set_rebind_proc takes 3 arguments" >&5 +$as_echo_n "checking whether ldap_set_rebind_proc takes 3 arguments... " >&6; } +if ${ac_cv_ldap_set_rebind_proc+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <lber.h> + #include <ldap.h> +int +main () +{ +ldap_set_rebind_proc(0, 0, 0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_ldap_set_rebind_proc=3 +else + ac_cv_ldap_set_rebind_proc=2 +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_ldap_set_rebind_proc" >&5 +$as_echo "$ac_cv_ldap_set_rebind_proc" >&6; } + fi + + + +ac_safe=`echo "sasl/sasl.h" | sed 'y%./+-%__pm%'` +old_CPPFLAGS="$CPPFLAGS" +smart_include= +smart_include_dir="/usr/local/include /opt/include" + +_smart_try_dir= +_smart_include_dir= + +for _prefix in $smart_prefix ""; do + for _dir in $smart_try_dir; do + _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" + done + + for _dir in $smart_include_dir; do + _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" + done +done + +if test "x$_smart_try_dir" != "x"; then + for try in $_smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sasl/sasl.h in $try" >&5 +$as_echo_n "checking for sasl/sasl.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <sasl/sasl.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" = "x"; then + for _prefix in $smart_prefix; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/sasl/sasl.h" >&5 +$as_echo_n "checking for ${_prefix}/sasl/sasl.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <sasl/sasl.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem ${_prefix}/" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +fi + +if test "x$smart_include" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sasl/sasl.h" >&5 +$as_echo_n "checking for sasl/sasl.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <sasl/sasl.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include=" " + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + for try in $_smart_include_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sasl/sasl.h in $try" >&5 +$as_echo_n "checking for sasl/sasl.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <sasl/sasl.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" != "x"; then + eval "ac_cv_header_$ac_safe=yes" + CPPFLAGS="$smart_include $old_CPPFLAGS" + SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +fi + +smart_prefix= + + if test "x$ac_cv_header_sasl_sasl_h" = "xyes"; then + if test x"$ac_cv_func_ldap_sasl_interactive_bind" = "xyes"; then + +$as_echo "#define WITH_SASL 1" >>confdefs.h + + SASL=sasl.c + fi + fi + + targetname=rlm_ldap +else + targetname= + echo \*\*\* module rlm_ldap is disabled. +fi + +if test x"$fail" != x""; then + if test x"${enable_strict_dependencies}" = x"yes"; then + as_fn_error $? "set --without-rlm_ldap to disable it explicitly." "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_ldap." >&5 +$as_echo "$as_me: WARNING: silently not building rlm_ldap." >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_ldap requires: $fail." >&5 +$as_echo "$as_me: WARNING: FAILURE: rlm_ldap requires: $fail." >&2;} + if test x"$headersuggestion" != x; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $headersuggestion" >&5 +$as_echo "$as_me: WARNING: $headersuggestion" >&2;} + fi + if test x"$libsuggestion" != x; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $libsuggestion" >&5 +$as_echo "$as_me: WARNING: $libsuggestion" >&2;} + fi + targetname="" + fi +fi + + +$as_echo "#define WITH_EDIR 1" >>confdefs.h + + +cat >>confdefs.h <<_ACEOF +#define LDAP_SET_REBIND_PROC_ARGS ${ac_cv_ldap_set_rebind_proc} +_ACEOF + + +mod_ldflags=$SMART_LIBS +mod_cflags="$SMART_CPPFLAGS" + + + + + +ac_config_headers="$ac_config_headers config.h" + +ac_config_files="$ac_config_files all.mk" + +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes: double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \. + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + if test "x$cache_file" != "x/dev/null"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + if test ! -f "$cache_file" || test -h "$cache_file"; then + cat confcache >"$cache_file" + else + case $cache_file in #( + */* | ?:*) + mv -f confcache "$cache_file"$$ && + mv -f "$cache_file"$$ "$cache_file" ;; #( + *) + mv -f confcache "$cache_file" ;; + esac + fi + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +DEFS=-DHAVE_CONFIG_H + +ac_libobjs= +ac_ltlibobjs= +U= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" + as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs + +LTLIBOBJS=$ac_ltlibobjs + + + +: "${CONFIG_STATUS=./config.status}" +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +as_write_fail=0 +cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false + +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 +## ----------------------------------- ## +## Main body of $CONFIG_STATUS script. ## +## ----------------------------------- ## +_ASEOF +test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# Save the log message, to keep $0 and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by $as_me, which was +generated by GNU Autoconf 2.69. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +_ACEOF + +case $ac_config_files in *" +"*) set x $ac_config_files; shift; ac_config_files=$*;; +esac + +case $ac_config_headers in *" +"*) set x $ac_config_headers; shift; ac_config_headers=$*;; +esac + + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files and other configuration actions +from templates according to the current configuration. Unless the files +and actions are specified as TAGs, all are instantiated by default. + +Usage: $0 [OPTION]... [TAG]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + --config print configuration, then exit + -q, --quiet, --silent + do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Report bugs to the package provider." + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" +ac_cs_version="\\ +config.status +configured by $0, generated by GNU Autoconf 2.69, + with options \\"\$ac_cs_config\\" + +Copyright (C) 2012 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='$ac_pwd' +srcdir='$srcdir' +test -n "\$AWK" || AWK=awk +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=?*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + --*=) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg= + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + '') as_fn_error $? "missing file argument" ;; + esac + as_fn_append CONFIG_FILES " '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + as_fn_append CONFIG_HEADERS " '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + as_fn_error $? "ambiguous option: \`$1' +Try \`$0 --help' for more information.";; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) as_fn_error $? "unrecognized option: \`$1' +Try \`$0 --help' for more information." ;; + + *) as_fn_append ac_config_targets " $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "all.mk") CONFIG_FILES="$CONFIG_FILES all.mk" ;; + + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= ac_tmp= + trap 'exit_status=$? + : "${ac_tmp:=$tmp}" + { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status +' 0 + trap 'as_fn_exit 1' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +ac_tmp=$tmp + +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then + + +ac_cr=`echo X | tr X '\015'` +# On cygwin, bash can eat \r inside `` if the user requested igncr. +# But we know of no other shell where ac_cr would be empty at this +# point, so we can use a bashism as a fallback. +if test "x$ac_cr" = x; then + eval ac_cr=\$\'\\r\' +fi +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' +else + ac_cs_awk_cr=$ac_cr +fi + +echo 'BEGIN {' >"$ac_tmp/subs1.awk" && +_ACEOF + + +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + + ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` + if test $ac_delim_n = $ac_delim_num; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && +_ACEOF +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\)..*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\)..*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' <conf$$subs.awk | sed ' +/^[^""]/{ + N + s/\n// +} +' >>$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" + +} +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ + || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 +_ACEOF + +# VPATH may cause trouble with some makes, so we remove sole $(srcdir), +# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ +h +s/// +s/^/:/ +s/[ ]*$/:/ +s/:\$(srcdir):/:/g +s/:\${srcdir}:/:/g +s/:@srcdir@:/:/g +s/^:*// +s/:*$// +x +s/\(=[ ]*\).*/\1/ +G +s/\n// +s/^[^=]*=[ ]*$// +}' +fi + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$ac_tmp/defines.awk" <<\_ACAWK || +BEGIN { +_ACEOF + +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. + +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_tt=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_tt"; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done + +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' <confdefs.h | sed ' +s/'"$ac_delim"'/"\\\ +"/g' >>$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + prefix = substr(line, 1, index(line, defundef) - 1) + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", prefix defundef, macro, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$ac_tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + as_fn_append ac_file_inputs " '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} + fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$ac_tmp/stdin" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + as_dir="$ac_dir"; as_fn_mkdir_p + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac +_ACEOF + +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ + >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ + "$ac_tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&2;} + + rm -f "$ac_tmp/stdin" + case $ac_file in + -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; + *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; + esac \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" + } >"$ac_tmp/config.h" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$ac_tmp/config.h" "$ac_file" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + fi + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ + || as_fn_error $? "could not create -" "$LINENO" 5 + fi + ;; + + + esac + +done # for ac_tag + + +as_fn_exit 0 +_ACEOF +ac_clean_files=$ac_clean_files_save + +test $ac_write_fail = 0 || + as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + ac_config_status_args= + test "$silent" = yes && + ac_config_status_args="$ac_config_status_args --quiet" + exec 5>/dev/null + $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || as_fn_exit 1 +fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +fi + diff --git a/src/modules/rlm_ldap/configure.ac b/src/modules/rlm_ldap/configure.ac new file mode 100644 index 0000000..4ba485e --- /dev/null +++ b/src/modules/rlm_ldap/configure.ac @@ -0,0 +1,157 @@ +AC_PREREQ([2.68]) +AC_INIT(rlm_ldap.c) +AC_REVISION($Revision$) +FR_INIT_MODULE([rlm_ldap], [LDAP support]) + +fail= +SMART_LIBS= +SMART_CLFAGS= +SASL= + +if test x$with_[]modname != xno; then + + dnl ############################################################ + dnl # Check for compiler + dnl ############################################################ + AC_PROG_CC + + dnl ############################################################ + dnl # Check for command line options + dnl ############################################################ + + dnl # extra argument: --with-rlm-ldap-lib-dir + rlm_ldap_lib_dir= + AC_ARG_WITH(rlm-ldap-lib-dir, + [ --with-rlm-ldap-lib-dir=DIR directory for LDAP library files []], + [ case "$withval" in + no) + AC_MSG_ERROR(Need rlm-ldap-lib-dir) + ;; + yes) + ;; + *) + rlm_ldap_lib_dir="$withval" + ;; + esac ] + ) + + dnl # extra argument: --with-rlm-ldap-include-dir + rlm_ldap_include_dir= + AC_ARG_WITH(rlm-ldap-include-dir, + [ --with-rlm-ldap-include-dir=DIR directory for LDAP include files []], + [ case "$withval" in + no) + AC_MSG_ERROR(Need rlm-ldap-include-dir) + ;; + yes) + ;; + *) + rlm_ldap_include_dir="$withval" + ;; + esac ] + ) + + dnl ############################################################ + dnl # Check for libraries + dnl ############################################################ + + dnl # + dnl # Official word from those who represent OpenLDAP say + dnl # libldap_r is unsupported for use outside the OpenLDAP + dnl # server. But libldap *may* work with the FreeRADIUS + dnl # as we use a threadpool to prevent concurrent access to + dnl # the same libldap handle. + dnl # + dnl # In FreeRADIUS <= 3.0.6 we used libldap_r in preference + dnl # to libldap, however, in order to support certain distros + dnl # or packagers that only ship libldap in their OpenLDAP + dnl # client packages, we're forced to switch to just libldap. + dnl # + smart_try_dir=$rlm_ldap_lib_dir + FR_SMART_CHECK_LIB(ldap, ldap_init) + if test "x$ac_cv_lib_ldap_ldap_init" != "xyes"; then + fail="$fail libldap" + fi + + dnl ############################################################ + dnl # Check for header files + dnl ############################################################ + + smart_try_dir=$rlm_ldap_include_dir + FR_SMART_CHECK_INCLUDE(ldap.h) + if test "$ac_cv_header_ldap_h" != "yes"; then + fail="$fail ldap.h" + fi + + dnl ############################################################ + dnl # Check for library functions + dnl ############################################################ + + if test "x$fail" = "x"; then + AC_CHECK_FUNCS( + ldap_sasl_interactive_bind \ + ldap_unbind_ext_s \ + ldap_start_tls_s \ + ldap_initialize \ + ldap_set_rebind_proc \ + ldap_create_sort_control \ + ldap_create_sort_keylist \ + ldap_free_sort_keylist \ + ldap_url_parse \ + ldap_is_ldap_url \ + ldap_url_desc2str + ) + AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, ac_cv_ldap_set_rebind_proc, [ + AC_TRY_COMPILE([ + #include <lber.h> + #include <ldap.h>], [ldap_set_rebind_proc(0, 0, 0);], + [ac_cv_ldap_set_rebind_proc=3], + [ac_cv_ldap_set_rebind_proc=2]) + ]) + fi + + dnl ############################################################ + dnl # Check for SASL support + dnl ############################################################ + FR_SMART_CHECK_INCLUDE([sasl/sasl.h]) + if test "x$ac_cv_header_sasl_sasl_h" = "xyes"; then + if test x"$ac_cv_func_ldap_sasl_interactive_bind" = "xyes"; then + AC_DEFINE(WITH_SASL, 1, [Build the server with support for SASL binds]) + SASL=sasl.c + fi + fi + + targetname=modname +else + targetname= + echo \*\*\* module modname is disabled. +fi + +if test x"$fail" != x""; then + if test x"${enable_strict_dependencies}" = x"yes"; then + AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.]) + else + AC_MSG_WARN([silently not building ]modname[.]) + AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]) + if test x"$headersuggestion" != x; then + AC_MSG_WARN([$headersuggestion]) + fi + if test x"$libsuggestion" != x; then + AC_MSG_WARN([$libsuggestion]) + fi + targetname="" + fi +fi + +AC_DEFINE(WITH_EDIR, 1, [Build the server with support for Novell eDir Universal Password]) +AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, ${ac_cv_ldap_set_rebind_proc}, [Number of arguments the rebind procedure takes]) + +mod_ldflags=$SMART_LIBS +mod_cflags="$SMART_CPPFLAGS" + +AC_SUBST(mod_ldflags) +AC_SUBST(mod_cflags) +AC_SUBST(SASL) +AC_SUBST(targetname) +AC_CONFIG_HEADER(config.h) +AC_OUTPUT(all.mk) diff --git a/src/modules/rlm_ldap/edir.c b/src/modules/rlm_ldap/edir.c new file mode 100644 index 0000000..ddac7e2 --- /dev/null +++ b/src/modules/rlm_ldap/edir.c @@ -0,0 +1,275 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file edir.c + * @brief LDAP extension for reading eDirectory universal password. + * + * To contact Novell about this file by physical or electronic mail, you may + * find current contact information at www.novell.com. + * + * @copyright 2012 Olivier Beytrison <olivier@heliosnet.org> + * @copyright 2012 Alan DeKok <aland@freeradius.org> + * @copyright 2002-2004 Novell, Inc. + */ + +RCSID("$Id$") + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/rad_assert.h> + +#include "ldap.h" + +/* NMAS error codes */ +#define NMAS_E_BASE (-1600) + +#define NMAS_E_FRAG_FAILURE (NMAS_E_BASE-31) /* -1631 0xFFFFF9A1 */ +#define NMAS_E_BUFFER_OVERFLOW (NMAS_E_BASE-33) /* -1633 0xFFFFF99F */ +#define NMAS_E_SYSTEM_RESOURCES (NMAS_E_BASE-34) /* -1634 0xFFFFF99E */ +#define NMAS_E_INSUFFICIENT_MEMORY (NMAS_E_BASE-35) /* -1635 0xFFFFF99D */ +#define NMAS_E_NOT_SUPPORTED (NMAS_E_BASE-36) /* -1636 0xFFFFF99C */ +#define NMAS_E_INVALID_PARAMETER (NMAS_E_BASE-43) /* -1643 0xFFFFF995 */ +#define NMAS_E_INVALID_VERSION (NMAS_E_BASE-52) /* -1652 0xFFFFF98C */ +#define NMAS_E_ACCESS_NOT_ALLOWED (NMAS_E_BASE-59) /* -1659 0xFFFFF985 */ +#define NMAS_E_INVALID_SPM_REQUEST (NMAS_E_BASE-97) /* -1697 0xFFFFF95F */ + +/* OID of LDAP extenstion calls to read Universal Password */ +#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13" +#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14" + +#define NMAS_LDAP_EXT_VERSION 1 + +/** Takes the object DN and BER encodes the data into the BER value which is used as part of the request + * + @verbatim + RequestBer contents: + clientVersion INTEGER + targetObjectDN OCTET STRING + @endverbatim + * + * @param[out] request_bv where to write the request BER value (must be freed with ber_bvfree). + * @param[in] dn to query for. + * @return + * - 0 on success. + * - < 0 on error. + */ +static int ber_encode_request_data(char const *dn, struct berval **request_bv) +{ + int err = 0; + int rc = 0; + BerElement *request_ber = NULL; + + if (!dn || !*dn) { + err = NMAS_E_INVALID_PARAMETER; + goto finish; + } + + /* Allocate a BerElement for the request parameters.*/ + if ((request_ber = ber_alloc()) == NULL) { + err = NMAS_E_FRAG_FAILURE; + goto finish; + } + + rc = ber_printf(request_ber, "{io}", NMAS_LDAP_EXT_VERSION, dn, strlen(dn) + 1); + if (rc < 0) { + err = NMAS_E_FRAG_FAILURE; + goto finish; + } + + /* + * Convert the BER we just built to a berval that we'll + * send with the extended request. + */ + if (ber_flatten(request_ber, request_bv) < 0) { + err = NMAS_E_FRAG_FAILURE; + goto finish; + } + +finish: + if (request_ber) ber_free(request_ber, 1); + + return err; +} + +/** Converts the reply into server version and a return code + * + * This function takes the reply BER Value and decodes the NMAS server version and return code and if a non + * null retData buffer was supplied, tries to decode the the return data and length. + * + @verbatim + ResponseBer contents: + server_version INTEGER + error INTEGER + data OCTET STRING + @endverbatim + * + * @param[in] reply_bv reply data from extended request. + * @param[out] server_version that responded. + * @param[out] out data. + * @param[out] outlen Length of data written to out. + * @return + * - 0 on success. + * - < 0 on error. + */ +static int ber_decode_login_data(struct berval *reply_bv, int *server_version, void *out, size_t *outlen) +{ + int rc = 0; + int err = 0; + BerElement *reply_ber = NULL; + + rad_assert(out != NULL); + rad_assert(outlen != NULL); + + if ((reply_ber = ber_init(reply_bv)) == NULL) { + err = NMAS_E_SYSTEM_RESOURCES; + goto finish; + } + + rc = ber_scanf(reply_ber, "{iis}", server_version, &err, out, outlen); + if (rc == -1) { + err = NMAS_E_FRAG_FAILURE; + goto finish; + } + +finish: + + if (reply_ber) ber_free(reply_ber, 1); + + return err; +} + +/** Attempt to retrieve the universal password from Novell eDirectory + * + * @param[in] ld LDAP handle. + * @param[in] dn of user we want to retrieve the password for. + * @param[out] password Where to write the retrieved password. + * @param[out] passlen Length of data written to the password buffer. + * @return + * - 0 on success. + * - < 0 on failure. + */ +int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *passlen) +{ + int err = 0; + struct berval *request_bv = NULL; + char *reply_oid = NULL; + struct berval *reply_bv = NULL; + int server_version; + size_t bufsize; + char buffer[256]; + + /* Validate parameters. */ + if (!dn || !*dn || !passlen || !ld) { + return NMAS_E_INVALID_PARAMETER; + } + + err = ber_encode_request_data(dn, &request_bv); + if (err) goto finish; + + /* Call the ldap_extended_operation (synchronously) */ + err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, request_bv, NULL, NULL, &reply_oid, &reply_bv); + if (err) goto finish; + + /* Make sure there is a return OID */ + if (!reply_oid) { + err = NMAS_E_NOT_SUPPORTED; + goto finish; + } + + /* Is this what we were expecting to get back. */ + if (strcmp(reply_oid, NMASLDAP_GET_PASSWORD_RESPONSE) != 0) { + err = NMAS_E_NOT_SUPPORTED; + goto finish; + } + + /* Do we have a good returned berval? */ + if (!reply_bv) { + /* + * No; returned berval means we experienced a rather + * drastic error. Return operations error. + */ + err = NMAS_E_SYSTEM_RESOURCES; + goto finish; + } + + bufsize = sizeof(buffer); + err = ber_decode_login_data(reply_bv, &server_version, buffer, &bufsize); + if (err) goto finish; + + if (server_version != NMAS_LDAP_EXT_VERSION) { + err = NMAS_E_INVALID_VERSION; + goto finish; + } + + if (bufsize > *passlen) { + err = NMAS_E_BUFFER_OVERFLOW; + goto finish; + } + + memcpy(password, buffer, bufsize); + password[bufsize] = '\0'; + *passlen = bufsize; + +finish: + if (reply_bv) { + ber_bvfree(reply_bv); + } + + /* Free the return OID string if one was returned. */ + if (reply_oid) { + ldap_memfree(reply_oid); + } + + /* Free memory allocated while building the request ber and berval. */ + if (request_bv) { + ber_bvfree(request_bv); + } + + return err; +} + +char const *edir_errstr(int code) { + switch (code) { + case NMAS_E_FRAG_FAILURE: + return "BER manipulation failed"; + + case NMAS_E_BUFFER_OVERFLOW: + return "Insufficient buffer space to write retrieved password"; + + case NMAS_E_SYSTEM_RESOURCES: + case NMAS_E_INSUFFICIENT_MEMORY: + return "Insufficient memory or system resources"; + + case NMAS_E_NOT_SUPPORTED: + return "Server response indicated Universal Password is not supported (missing password response OID)"; + + case NMAS_E_INVALID_PARAMETER: + return "Bad arguments passed to eDir functions"; + + case NMAS_E_INVALID_VERSION: + return "LDAP EXT version does not match expected version" STRINGIFY(NMAS_LDAP_EXT_VERSION); + + case NMAS_E_ACCESS_NOT_ALLOWED: + return "Bound user does not have sufficient rights to read the Universal Password of users"; + + case NMAS_E_INVALID_SPM_REQUEST: + return "Universal password is not enabled for the container of this user object"; + + default: + return ldap_err2string(code); + } +} diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c new file mode 100644 index 0000000..205f32d --- /dev/null +++ b/src/modules/rlm_ldap/groups.c @@ -0,0 +1,853 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file groups.c + * @brief LDAP module group functions. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * + * @copyright 2013 Network RADIUS SARL <info@networkradius.com> + * @copyright 2013-2015 The FreeRADIUS Server Project. + */ +#include <freeradius-devel/rad_assert.h> +#include <ctype.h> + +#include "ldap.h" + +/** Convert multiple group names into a DNs + * + * Given an array of group names, builds a filter matching all names, then retrieves all group objects + * and stores the DN associated with each group object. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] names to covert to DNs (NULL terminated). + * @param[out] out Where to write the DNs. DNs must be freed with ldap_memfree(). Will be NULL terminated. + * @param[in] outlen Size of out. + * @return One of the RLM_MODULE_* values. + */ +static rlm_rcode_t rlm_ldap_group_name2dn(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char **names, char **out, size_t outlen) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + int ldap_errno; + + unsigned int name_cnt = 0; + unsigned int entry_cnt; + char const *attrs[] = { NULL }; + + LDAPMessage *result = NULL, *entry; + + char **name = names; + char **dn = out; + char const *base_dn = NULL; + char base_dn_buff[LDAP_MAX_DN_STR_LEN]; + char buffer[LDAP_MAX_GROUP_NAME_LEN + 1]; + + char *filter; + + *dn = NULL; + + if (!*names) { + return RLM_MODULE_OK; + } + + if (!inst->groupobj_name_attr) { + REDEBUG("Told to convert group names to DNs but missing 'group.name_attribute' directive"); + + return RLM_MODULE_INVALID; + } + + RDEBUG("Converting group name(s) to group DN(s)"); + + /* + * It'll probably only save a few ms in network latency, but it means we can send a query + * for the entire group list at once. + */ + filter = talloc_typed_asprintf(request, "%s%s%s", + inst->groupobj_filter ? "(&" : "", + inst->groupobj_filter ? inst->groupobj_filter : "", + names[0] && names[1] ? "(|" : ""); + while (*name) { + rlm_ldap_escape_func(request, buffer, sizeof(buffer), *name++, NULL); + filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", inst->groupobj_name_attr, buffer); + + name_cnt++; + } + filter = talloc_asprintf_append_buffer(filter, "%s%s", + inst->groupobj_filter ? ")" : "", + names[0] && names[1] ? ")" : ""); + + if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, + inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) { + REDEBUG("Failed creating base_dn"); + + return RLM_MODULE_INVALID; + } + + status = rlm_ldap_search(&result, inst, request, pconn, base_dn, inst->groupobj_scope, + filter, attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_NO_RESULT: + RDEBUG("Tried to resolve group name(s) to DNs but got no results"); + goto finish; + + default: + rcode = RLM_MODULE_FAIL; + goto finish; + } + + entry_cnt = ldap_count_entries((*pconn)->handle, result); + if (entry_cnt > name_cnt) { + REDEBUG("Number of DNs exceeds number of names, group and/or dn should be more restrictive"); + rcode = RLM_MODULE_INVALID; + + goto finish; + } + + if (entry_cnt > (outlen - 1)) { + REDEBUG("Number of DNs exceeds limit (%zu)", outlen - 1); + rcode = RLM_MODULE_INVALID; + + goto finish; + } + + if (entry_cnt < name_cnt) { + RWDEBUG("Got partial mapping of group names (%i) to DNs (%i), membership information may be incomplete", + name_cnt, entry_cnt); + } + + entry = ldap_first_entry((*pconn)->handle, result); + if (!entry) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + rcode = RLM_MODULE_FAIL; + goto finish; + } + + do { + *dn = ldap_get_dn((*pconn)->handle, entry); + if (!*dn) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); + + rcode = RLM_MODULE_FAIL; + goto finish; + } + rlm_ldap_normalise_dn(*dn, *dn); + + RDEBUG("Got group DN \"%s\"", *dn); + dn++; + } while((entry = ldap_next_entry((*pconn)->handle, entry))); + + *dn = NULL; + +finish: + talloc_free(filter); + if (result) { + ldap_msgfree(result); + } + + /* + * Be nice and cleanup the output array if we error out. + */ + if (rcode != RLM_MODULE_OK) { + dn = out; + while(*dn) ldap_memfree(*dn++); + *dn = NULL; + } + + return rcode; +} + +/** Convert a single group name into a DN + * + * Unlike the inverse conversion of a name to a DN, most LDAP directories don't allow filtering by DN, + * so we need to search for each DN individually. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn to resolve. + * @param[out] out Where to write group name (must be freed with talloc_free). + * @return One of the RLM_MODULE_* values. + */ +static rlm_rcode_t rlm_ldap_group_dn2name(rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t **pconn, char const *dn, char **out) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + int ldap_errno; + + struct berval **values = NULL; + char const *attrs[] = { inst->groupobj_name_attr, NULL }; + LDAPMessage *result = NULL, *entry; + + *out = NULL; + + if (!inst->groupobj_name_attr) { + REDEBUG("Told to resolve group DN to name but missing 'group.name_attribute' directive"); + + return RLM_MODULE_INVALID; + } + + RDEBUG("Resolving group DN \"%s\" to group name", dn); + + status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_NO_RESULT: + REDEBUG("Group DN \"%s\" did not resolve to an object", dn); + return inst->allow_dangling_group_refs ? RLM_MODULE_NOOP : RLM_MODULE_INVALID; + + default: + return RLM_MODULE_FAIL; + } + + entry = ldap_first_entry((*pconn)->handle, result); + if (!entry) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + rcode = RLM_MODULE_INVALID; + goto finish; + } + + values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr); + if (!values) { + REDEBUG("No %s attributes found in object", inst->groupobj_name_attr); + + rcode = RLM_MODULE_INVALID; + + goto finish; + } + + *out = rlm_ldap_berval_to_string(request, values[0]); + RDEBUG("Group DN \"%s\" resolves to name \"%s\"", dn, *out); + +finish: + if (result) ldap_msgfree(result); + if (values) ldap_value_free_len(values); + + return rcode; +} + +/** Convert group membership information into attributes + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search. + * @param[in] attr membership attribute to look for in the entry. + * @return One of the RLM_MODULE_* values. + */ +rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + LDAPMessage *entry, char const *attr) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + + struct berval **values; + + char *group_name[LDAP_MAX_CACHEABLE + 1]; + char **name_p = group_name; + + char *group_dn[LDAP_MAX_CACHEABLE + 1]; + char **dn_p; + + char *name; + + VALUE_PAIR *vp, **list, *groups = NULL; + TALLOC_CTX *list_ctx, *value_ctx; + vp_cursor_t list_cursor, groups_cursor; + + int is_dn, i, count; + + rad_assert(entry); + rad_assert(attr); + + /* + * Parse the membership information we got in the initial user query. + */ + values = ldap_get_values_len((*pconn)->handle, entry, attr); + if (!values) { + RDEBUG2("No cacheable group memberships found in user object"); + + return RLM_MODULE_OK; + } + count = ldap_count_values_len(values); + + list = radius_list(request, PAIR_LIST_CONTROL); + list_ctx = radius_list_ctx(request, PAIR_LIST_CONTROL); + + /* + * Simplifies freeing temporary values + */ + value_ctx = talloc_new(request); + + /* + * Temporary list to hold new group VPs, will be merged + * once all group info has been gathered/resolved + * successfully. + */ + fr_cursor_init(&groups_cursor, &groups); + + for (i = 0; (i < LDAP_MAX_CACHEABLE) && (i < count); i++) { + is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len); + + if (inst->cacheable_group_dn) { + /* + * The easy case, we're caching DNs and we got a DN. + */ + if (is_dn) { + MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da)); + fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len); + fr_cursor_insert(&groups_cursor, vp); + /* + * We were told to cache DNs but we got a name, we now need to resolve + * this to a DN. Store all the group names in an array so we can do one query. + */ + } else { + *name_p++ = rlm_ldap_berval_to_string(value_ctx, values[i]); + } + } + + if (inst->cacheable_group_name) { + /* + * The easy case, we're caching names and we got a name. + */ + if (!is_dn) { + MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da)); + fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len); + fr_cursor_insert(&groups_cursor, vp); + /* + * We were told to cache names but we got a DN, we now need to resolve + * this to a name. + * Only Active Directory supports filtering on DN, so we have to search + * for each individual group. + */ + } else { + char *dn; + + dn = rlm_ldap_berval_to_string(value_ctx, values[i]); + rcode = rlm_ldap_group_dn2name(inst, request, pconn, dn, &name); + talloc_free(dn); + + if (rcode == RLM_MODULE_NOOP) continue; + + if (rcode != RLM_MODULE_OK) { + ldap_value_free_len(values); + talloc_free(value_ctx); + fr_pair_list_free(&groups); + + return rcode; + } + + MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da)); + fr_pair_value_bstrncpy(vp, name, talloc_array_length(name) - 1); + fr_cursor_insert(&groups_cursor, vp); + talloc_free(name); + } + } + } + *name_p = NULL; + + rcode = rlm_ldap_group_name2dn(inst, request, pconn, group_name, group_dn, sizeof(group_dn)); + + ldap_value_free_len(values); + talloc_free(value_ctx); + + if (rcode != RLM_MODULE_OK) return rcode; + + fr_cursor_init(&list_cursor, list); + + RDEBUG("Adding cacheable user object memberships"); + RINDENT(); + if (RDEBUG_ENABLED) { + for (vp = fr_cursor_first(&groups_cursor); + vp; + vp = fr_cursor_next(&groups_cursor)) { + RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue); + } + } + + fr_cursor_merge(&list_cursor, groups); + + for (dn_p = group_dn; *dn_p; dn_p++) { + MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da)); + fr_pair_value_strcpy(vp, *dn_p); + fr_cursor_insert(&list_cursor, vp); + + RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue); + ldap_memfree(*dn_p); + } + REXDENT(); + + return rcode; +} + +/** Convert group membership information into attributes + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @return One of the RLM_MODULE_* values. + */ +rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + int ldap_errno; + + LDAPMessage *result = NULL; + LDAPMessage *entry; + + char const *base_dn; + char base_dn_buff[LDAP_MAX_DN_STR_LEN]; + + char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter }; + char filter[LDAP_MAX_FILTER_STR_LEN + 1]; + + char const *attrs[] = { inst->groupobj_name_attr, NULL }; + + VALUE_PAIR *vp; + char *dn; + + rad_assert(inst->groupobj_base_dn); + + if (!inst->groupobj_membership_filter) { + RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set"); + + return RLM_MODULE_OK; + } + + if (rlm_ldap_xlat_filter(request, + filters, sizeof(filters) / sizeof(*filters), + filter, sizeof(filter)) < 0) { + return RLM_MODULE_INVALID; + } + + if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, + inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) { + REDEBUG("Failed creating base_dn"); + + return RLM_MODULE_INVALID; + } + + status = rlm_ldap_search(&result, inst, request, pconn, base_dn, + inst->groupobj_scope, filter, attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_NO_RESULT: + RDEBUG2("No cacheable group memberships found in group objects"); + goto finish; + + default: + rcode = RLM_MODULE_FAIL; + goto finish; + } + + entry = ldap_first_entry((*pconn)->handle, result); + if (!entry) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + goto finish; + } + + RDEBUG("Adding cacheable group object memberships"); + do { + if (inst->cacheable_group_dn) { + dn = ldap_get_dn((*pconn)->handle, entry); + if (!dn) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); + + goto finish; + } + rlm_ldap_normalise_dn(dn, dn); + + MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD)); + fr_pair_value_strcpy(vp, dn); + + RINDENT(); + RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, dn); + REXDENT(); + ldap_memfree(dn); + } + + if (inst->cacheable_group_name) { + struct berval **values; + + values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr); + if (!values) continue; + + MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD)); + fr_pair_value_bstrncpy(vp, values[0]->bv_val, values[0]->bv_len); + + RINDENT(); + RDEBUG("&control:%s += \"%.*s\"", inst->cache_da->name, + (int)values[0]->bv_len, values[0]->bv_val); + REXDENT(); + + ldap_value_free_len(values); + } + } while ((entry = ldap_next_entry((*pconn)->handle, entry))); + +finish: + if (result) ldap_msgfree(result); + + return rcode; +} + +/** Query the LDAP directory to check if a group object includes a user object as a member + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] check vp containing the group value (name or dn). + * @return One of the RLM_MODULE_* values. + */ +rlm_rcode_t rlm_ldap_check_groupobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + VALUE_PAIR *check) + +{ + ldap_rcode_t status; + + char const *base_dn; + char base_dn_buff[LDAP_MAX_DN_STR_LEN + 1]; + char filter[LDAP_MAX_FILTER_STR_LEN + 1]; + int ret; + + rad_assert(inst->groupobj_base_dn); + + switch (check->op) { + case T_OP_CMP_EQ: + case T_OP_CMP_FALSE: + case T_OP_CMP_TRUE: + case T_OP_REG_EQ: + case T_OP_REG_NE: + break; + + default: + REDEBUG("Operator \"%s\" not allowed for LDAP group comparisons", + fr_int2str(fr_tokens, check->op, "<INVALID>")); + return 1; + } + + RDEBUG2("Checking for user in group objects"); + + if (rlm_ldap_is_dn(check->vp_strvalue, check->vp_length)) { + char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter }; + + RINDENT(); + ret = rlm_ldap_xlat_filter(request, + filters, sizeof(filters) / sizeof(*filters), + filter, sizeof(filter)); + REXDENT(); + + if (ret < 0) return RLM_MODULE_INVALID; + + base_dn = check->vp_strvalue; + } else { + char name_filter[LDAP_MAX_FILTER_STR_LEN]; + char const *filters[] = { name_filter, inst->groupobj_filter, inst->groupobj_membership_filter }; + + if (!inst->groupobj_name_attr) { + REDEBUG("Told to search for group by name, but missing 'group.name_attribute' " + "directive"); + + return RLM_MODULE_INVALID; + } + + snprintf(name_filter, sizeof(name_filter), "(%s=%s)", inst->groupobj_name_attr, check->vp_strvalue); + RINDENT(); + ret = rlm_ldap_xlat_filter(request, + filters, sizeof(filters) / sizeof(*filters), + filter, sizeof(filter)); + REXDENT(); + if (ret < 0) return RLM_MODULE_INVALID; + + + /* + * rlm_ldap_find_user does this, too. Oh well. + */ + RINDENT(); + ret = tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, inst->groupobj_base_dn, + rlm_ldap_escape_func, NULL); + REXDENT(); + if (ret < 0) { + REDEBUG("Failed creating base_dn"); + + return RLM_MODULE_INVALID; + } + } + + RINDENT(); + status = rlm_ldap_search(NULL, inst, request, pconn, base_dn, inst->groupobj_scope, filter, NULL, NULL, NULL); + REXDENT(); + switch (status) { + case LDAP_PROC_SUCCESS: + RDEBUG("User found in group object \"%s\"", base_dn); + break; + + case LDAP_PROC_NO_RESULT: + return RLM_MODULE_NOTFOUND; + + default: + return RLM_MODULE_FAIL; + } + + return RLM_MODULE_OK; +} + +/** Query the LDAP directory to check if a user object is a member of a group + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn of user object. + * @param[in] check vp containing the group value (name or dn). + * @return One of the RLM_MODULE_* values. + */ +rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *dn, VALUE_PAIR *check) +{ + rlm_rcode_t rcode = RLM_MODULE_NOTFOUND, ret; + ldap_rcode_t status; + bool name_is_dn = false, value_is_dn = false; + + LDAPMessage *result = NULL; + LDAPMessage *entry = NULL; + struct berval **values = NULL; + + char const *attrs[] = { inst->userobj_membership_attr, NULL }; + int i, count, ldap_errno; + + RDEBUG2("Checking user object's %s attributes", inst->userobj_membership_attr); + RINDENT(); + status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL); + REXDENT(); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_NO_RESULT: + RDEBUG("Can't check membership attributes, user object not found"); + + rcode = RLM_MODULE_NOTFOUND; + + /* FALL-THROUGH */ + default: + goto finish; + } + + entry = ldap_first_entry((*pconn)->handle, result); + if (!entry) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + rcode = RLM_MODULE_FAIL; + + goto finish; + } + + values = ldap_get_values_len((*pconn)->handle, entry, inst->userobj_membership_attr); + if (!values) { + RDEBUG("No group membership attribute(s) found in user object"); + + goto finish; + } + + /* + * Loop over the list of groups the user is a member of, + * looking for a match. + */ + name_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length); + count = ldap_count_values_len(values); + for (i = 0; i < count; i++) { + value_is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len); + + RDEBUG2("Processing %s value \"%.*s\" as a %s", inst->userobj_membership_attr, + (int)values[i]->bv_len, values[i]->bv_val, value_is_dn ? "DN" : "group name"); + + /* + * Both literal group names, do case sensitive comparison + */ + if (!name_is_dn && !value_is_dn) { + if ((check->vp_length == values[i]->bv_len) && + (memcmp(values[i]->bv_val, check->vp_strvalue, values[i]->bv_len) == 0)) { + RDEBUG("User found in group \"%s\". Comparison between membership: name, check: name", + check->vp_strvalue); + rcode = RLM_MODULE_OK; + + goto finish; + } + + continue; + } + + /* + * Both DNs, do case insensitive, binary safe comparison + */ + if (name_is_dn && value_is_dn) { + if (check->vp_length == values[i]->bv_len) { + int j; + + for (j = 0; j < (int)values[i]->bv_len; j++) { + if (tolower(values[i]->bv_val[j]) != tolower(check->vp_strvalue[j])) break; + } + if (j == (int)values[i]->bv_len) { + RDEBUG("User found in group DN \"%s\". " + "Comparison between membership: dn, check: dn", check->vp_strvalue); + rcode = RLM_MODULE_OK; + + goto finish; + } + } + + continue; + } + + /* + * If the value is not a DN, and the name we were given is a dn + * convert the value to a DN and do a comparison. + */ + if (!value_is_dn && name_is_dn) { + char *resolved; + bool eq = false; + + RINDENT(); + ret = rlm_ldap_group_dn2name(inst, request, pconn, check->vp_strvalue, &resolved); + REXDENT(); + + if (ret == RLM_MODULE_NOOP) continue; + + if (ret != RLM_MODULE_OK) { + rcode = ret; + goto finish; + } + + if (((talloc_array_length(resolved) - 1) == values[i]->bv_len) && + (memcmp(values[i]->bv_val, resolved, values[i]->bv_len) == 0)) eq = true; + talloc_free(resolved); + if (eq) { + RDEBUG("User found in group \"%.*s\". Comparison between membership: name, check: name " + "(resolved from DN \"%s\")", (int)values[i]->bv_len, + values[i]->bv_val, check->vp_strvalue); + rcode = RLM_MODULE_OK; + + goto finish; + } + + continue; + } + + /* + * We have a value which is a DN, and a check item which specifies the name of a group, + * convert the value to a name so we can do a comparison. + */ + if (value_is_dn && !name_is_dn) { + char *resolved; + char *value; + bool eq = false; + + value = rlm_ldap_berval_to_string(request, values[i]); + RINDENT(); + ret = rlm_ldap_group_dn2name(inst, request, pconn, value, &resolved); + REXDENT(); + talloc_free(value); + + if (ret == RLM_MODULE_NOOP) continue; + + if (ret != RLM_MODULE_OK) { + rcode = ret; + goto finish; + } + + if (((talloc_array_length(resolved) - 1) == check->vp_length) && + (memcmp(check->vp_strvalue, resolved, check->vp_length) == 0)) eq = true; + talloc_free(resolved); + if (eq) { + RDEBUG("User found in group \"%s\". Comparison between membership: name " + "(resolved from DN \"%s\"), check: name", check->vp_strvalue, value); + rcode = RLM_MODULE_OK; + + goto finish; + } + + continue; + } + rad_assert(0); + } + +finish: + if (values) ldap_value_free_len(values); + if (result) ldap_msgfree(result); + + return rcode; +} + +/** Check group membership attributes to see if a user is a member. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in] check vp containing the group value (name or dn). + * + * @return One of the RLM_MODULE_* values. + */ +rlm_rcode_t rlm_ldap_check_cached(rlm_ldap_t const *inst, REQUEST *request, VALUE_PAIR *check) +{ + VALUE_PAIR *vp; + int ret; + vp_cursor_t cursor; + + fr_cursor_init(&cursor, &request->config); + + /* + * We return RLM_MODULE_INVALID here as an indication + * the caller should try a dynamic group lookup instead. + */ + vp = fr_cursor_next_by_num(&cursor, inst->cache_da->attr, inst->cache_da->vendor, TAG_ANY); + if (!vp) return RLM_MODULE_INVALID; + fr_cursor_first(&cursor); + + while ((vp = fr_cursor_next_by_num(&cursor, inst->cache_da->attr, inst->cache_da->vendor, TAG_ANY))) { + ret = fr_pair_cmp_op(T_OP_CMP_EQ, vp, check); + if (ret == 1) { + RDEBUG2("User found. Matched cached membership"); + return RLM_MODULE_OK; + } + + if (ret < -1) { + return RLM_MODULE_FAIL; + } + } + + RDEBUG2("Cached membership not found"); + return RLM_MODULE_NOTFOUND; +} diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c new file mode 100644 index 0000000..adabe33 --- /dev/null +++ b/src/modules/rlm_ldap/ldap.c @@ -0,0 +1,1605 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file ldap.c + * @brief LDAP module library functions. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013-2015 Network RADIUS SARL <info@networkradius.com> + * @copyright 2013-2015 The FreeRADIUS Server Project. + */ +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/modules.h> +#include <freeradius-devel/rad_assert.h> + +#include <stdarg.h> +#include <ctype.h> + +#include "ldap.h" + +/** Converts "bad" strings into ones which are safe for LDAP + * + * @note RFC 4515 says filter strings can only use the @verbatim \<hex><hex> @endverbatim + * format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply + * with a backslash. For simplicity, we always use the hex escape sequences. + * In other areas where we're doing DN comparison, the DNs need to be normalised first + * so that they both use only hex escape sequences. + * + * @note This is a callback for xlat operations. + * + * Will escape any characters in input strings that would cause the string to be interpreted + * as part of a DN and or filter. Escape sequence is @verbatim \<hex><hex> @endverbatim. + * + * @param request The current request. + * @param out Pointer to output buffer. + * @param outlen Size of the output buffer. + * @param in Raw unescaped string. + * @param arg Any additional arguments (unused). + */ +size_t rlm_ldap_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg) +{ + static char const encode[] = ",+\"\\<>;*=()"; + static char const hextab[] = "0123456789abcdef"; + size_t left = outlen; + + if (*in && ((*in == ' ') || (*in == '#'))) goto encode; + + while (*in) { + /* + * Encode unsafe characters. + */ + if (memchr(encode, *in, sizeof(encode) - 1)) { + encode: + /* + * Only 3 or less bytes available. + */ + if (left <= 3) break; + + *out++ = '\\'; + *out++ = hextab[(*in >> 4) & 0x0f]; + *out++ = hextab[*in & 0x0f]; + in++; + left -= 3; + + continue; + } + + if (left <= 1) break; + + /* + * Doesn't need encoding + */ + *out++ = *in++; + left--; + } + + *out = '\0'; + + return outlen - left; +} + +/** Check whether a string looks like a DN + * + * @param[in] in Str to check. + * @param[in] inlen Length of string to check. + * @return + * - true if string looks like a DN. + * - false if string does not look like DN. + */ +bool rlm_ldap_is_dn(char const *in, size_t inlen) +{ + char const *p; + + char want = '='; + bool too_soon = true; + int comp = 1; + + for (p = in; inlen > 0; p++, inlen--) { + if (p[0] == '\\') { + char c; + + too_soon = false; + + /* + * Invalid escape sequence, not a DN + */ + if (inlen < 2) return false; + + /* + * Double backslash, consume two chars + */ + if (p[1] == '\\') { + inlen--; + p++; + continue; + } + + /* + * Special, consume two chars + */ + switch (p[1]) { + case ' ': + case '#': + case '=': + case '"': + case '+': + case ',': + case ';': + case '<': + case '>': + case '\'': + inlen -= 1; + p += 1; + continue; + + default: + break; + } + + /* + * Invalid escape sequence, not a DN + */ + if (inlen < 3) return false; + + /* + * Hex encoding, consume three chars + */ + if (fr_hex2bin((uint8_t *) &c, 1, p + 1, 2) == 1) { + inlen -= 2; + p += 2; + continue; + } + + /* + * Invalid escape sequence, not a DN + */ + return false; + } + + switch (*p) { + case '=': + if (too_soon || (*p != want)) return false; /* Too soon after last , or = */ + want = ','; + too_soon = true; + break; + + case ',': + if (too_soon || (*p != want)) return false; /* Too soon after last , or = */ + want = '='; + too_soon = true; + comp++; + break; + + default: + too_soon = false; + break; + } + } + + /* + * If the string ended with , or =, or the number + * of components was less than 2 + * + * i.e. we don't have <attr>=<val>,<attr>=<val> + */ + if (too_soon || (comp < 2)) return false; + + return true; +} + +/** Convert a berval to a talloced string + * + * The ldap_get_values function is deprecated, and ldap_get_values_len + * does not guarantee the berval buffers it returns are \0 terminated. + * + * For some cases this is fine, for others we require a \0 terminated + * buffer (feeding DNs back into libldap for example). + * + * @param ctx to allocate in. + * @param in Berval to copy. + * @return \0 terminated buffer containing in->bv_val. + */ +char *rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in) +{ + char *out; + + out = talloc_array(ctx, char, in->bv_len + 1); + if (!out) return NULL; + + memcpy(out, in->bv_val, in->bv_len); + out[in->bv_len] = '\0'; + + return out; +} + +/** Normalise escape sequences in a DN + * + * Characters in a DN can either be escaped as + * @verbatim \<hex><hex> @endverbatim or @verbatim \<special> @endverbatim + * + * The LDAP directory chooses how characters are escaped, which can make + * local comparisons of DNs difficult. + * + * Here we search for hex sequences that match special chars, and convert + * them to the @verbatim \<special> @endverbatim form. + * + * @note the resulting output string will only ever be shorter than the + * input, so it's fine to use the same buffer for both out and in. + * + * @param out Where to write the normalised DN. + * @param in The input DN. + * @return The number of bytes written to out. + */ +size_t rlm_ldap_normalise_dn(char *out, char const *in) +{ + char const *p; + char *o = out; + + for (p = in; *p != '\0'; p++) { + if (p[0] == '\\') { + char c; + + /* + * Double backslashes get processed specially + */ + if (p[1] == '\\') { + p += 1; + *o++ = p[0]; + *o++ = p[1]; + continue; + } + + /* + * Hex encodings that have an alternative + * special encoding, get rewritten to the + * special encoding. + */ + if (fr_hex2bin((uint8_t *) &c, 1, p + 1, 2) == 1) { + switch (c) { + case ' ': + case '#': + case '=': + case '"': + case '+': + case ',': + case ';': + case '<': + case '>': + case '\'': + *o++ = '\\'; + *o++ = c; + p += 2; + continue; + + default: + break; + } + } + } + *o++ = *p; + } + *o = '\0'; + + return o - out; +} + +/** Find the place at which the two DN strings diverge + * + * Returns the length of the non matching string in full. + * + * @param full DN. + * @param part Partial DN as returned by ldap_parse_result. + * @return + * - Length of the portion of full which wasn't matched + * - -1 on failure. + */ +static size_t rlm_ldap_common_dn(char const *full, char const *part) +{ + size_t f_len, p_len, i; + + if (!full) { + return -1; + } + + f_len = strlen(full); + + if (!part) { + return -1; + } + + p_len = strlen(part); + if (!p_len) { + return f_len; + } + + if ((f_len < p_len) || !f_len) { + return -1; + } + + for (i = 0; i < p_len; i++) { + if (part[p_len - i] != full[f_len - i]) { + return -1; + } + } + + return f_len - p_len; +} + +/** Combine and expand filters + * + * @param request Current request. + * @param out Where to write the expanded string. + * @param outlen Length of output buffer. + * @param sub Array of subfilters (may contain NULLs). + * @param sublen Number of potential subfilters in array. + * @return length of expanded data. + */ +ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen) +{ + char buffer[LDAP_MAX_FILTER_STR_LEN + 1]; + char const *in = NULL; + char *p = buffer; + + ssize_t len = 0; + + unsigned int i; + int cnt = 0; + + /* + * Figure out how many filter elements we need to integrate + */ + for (i = 0; i < sublen; i++) { + if (sub[i] && *sub[i]) { + in = sub[i]; + cnt++; + } + } + + if (!cnt) { + out[0] = '\0'; + return 0; + } + + if (cnt > 1) { + if (outlen < 3) { + goto oob; + } + + p[len++] = '('; + p[len++] = '&'; + + for (i = 0; i < sublen; i++) { + if (sub[i] && (*sub[i] != '\0')) { + len += strlcpy(p + len, sub[i], outlen - len); + + if ((size_t) len >= outlen) { + oob: + REDEBUG("Out of buffer space creating filter"); + + return -1; + } + } + } + + if ((outlen - len) < 2) { + goto oob; + } + + p[len++] = ')'; + p[len] = '\0'; + + in = buffer; + } + + len = radius_xlat(out, outlen, request, in, rlm_ldap_escape_func, NULL); + if (len < 0) { + REDEBUG("Failed creating filter"); + + return -1; + } + + return len; +} + +/** Return the error string associated with a handle + * + * @param conn to retrieve error from. + * @return error string. + */ +char const *rlm_ldap_error_str(ldap_handle_t const *conn) +{ + int lib_errno; + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno); + if (lib_errno == LDAP_SUCCESS) { + return "unknown"; + } + + return ldap_err2string(lib_errno); +} + +/** Parse response from LDAP server dealing with any errors + * + * Should be called after an LDAP operation. Will check result of operation and if it was successful, then attempt + * to retrieve and parse the result. + * + * Will also produce extended error output including any messages the server sent, and information about partial + * DN matches. + * + * @param[in] inst of LDAP module. + * @param[in] conn Current connection. + * @param[in] msgid returned from last operation. May be -1 if no result processing is required. + * @param[in] dn Last search or bind DN. + * @param[out] result Where to write result, if NULL result will be freed. + * @param[out] error Where to write the error string, may be NULL, must not be freed. + * @param[out] extra Where to write additional error string to, may be NULL (faster) or must be freed + * (with talloc_free). + * @return One of the LDAP_PROC_* (#ldap_rcode_t) values. + */ +ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn, + LDAPMessage **result, char const **error, char **extra) +{ + ldap_rcode_t status = LDAP_PROC_SUCCESS; + + int lib_errno = LDAP_SUCCESS; // errno returned by the library. + int srv_errno = LDAP_SUCCESS; // errno in the result message. + + char *part_dn = NULL; // Partial DN match. + char *our_err = NULL; // Our extended error message. + char *srv_err = NULL; // Server's extended error message. + char *p, *a; + + bool freeit = false; // Whether the message should be freed after being processed. + int len; + + struct timeval tv; // Holds timeout values. + + LDAPMessage *tmp_msg = NULL; // Temporary message pointer storage if we weren't provided with one. + + char const *tmp_err; // Temporary error pointer storage if we weren't provided with one. + + if (!error) error = &tmp_err; + *error = NULL; + + if (extra) *extra = NULL; + if (result) *result = NULL; + + /* + * We always need the result, but our caller may not + */ + if (!result) { + result = &tmp_msg; + freeit = true; + } + + /* + * Check if there was an error sending the request + */ + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno); + if (lib_errno != LDAP_SUCCESS) goto process_error; + if (msgid < 0) return LDAP_SUCCESS; /* No msgid and no error, return now */ + + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->res_timeout; + + /* + * Now retrieve the result and check for errors + * ldap_result returns -1 on failure, and 0 on timeout + */ + lib_errno = ldap_result(conn->handle, msgid, 1, &tv, result); + if (lib_errno == 0) { + lib_errno = LDAP_TIMEOUT; + + goto process_error; + } + + if (lib_errno == -1) { + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno); + + goto process_error; + } + + /* + * Parse the result and check for errors sent by the server + */ + lib_errno = ldap_parse_result(conn->handle, *result, + &srv_errno, + extra ? &part_dn : NULL, + extra ? &srv_err : NULL, + NULL, NULL, freeit); + if (freeit) *result = NULL; + + if (lib_errno != LDAP_SUCCESS) { + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &lib_errno); + goto process_error; + } + +process_error: + if ((lib_errno == LDAP_SUCCESS) && (srv_errno != LDAP_SUCCESS)) { + lib_errno = srv_errno; + } else if ((lib_errno != LDAP_SUCCESS) && (srv_errno == LDAP_SUCCESS)) { + srv_errno = lib_errno; + } + + switch (lib_errno) { + case LDAP_SUCCESS: + *error = "Success"; + break; + + case LDAP_SASL_BIND_IN_PROGRESS: + *error = "Continuing"; + status = LDAP_PROC_CONTINUE; + break; + + case LDAP_NO_SUCH_OBJECT: + *error = "The specified DN wasn't found"; + status = LDAP_PROC_BAD_DN; + + if (!extra) break; + + /* + * Build our own internal diagnostic string + */ + len = rlm_ldap_common_dn(dn, part_dn); + if (len < 0) break; + + our_err = talloc_typed_asprintf(conn, "Match stopped here: [%.*s]%s", len, dn, part_dn ? part_dn : ""); + goto error_string; + + case LDAP_INSUFFICIENT_ACCESS: + *error = "Insufficient access. Check the identity and password configuration directives"; + status = LDAP_PROC_NOT_PERMITTED; + break; + + case LDAP_UNWILLING_TO_PERFORM: + *error = "Server was unwilling to perform"; + status = LDAP_PROC_NOT_PERMITTED; + break; + + case LDAP_FILTER_ERROR: + *error = "Bad search filter"; + status = LDAP_PROC_ERROR; + break; + + case LDAP_TIMEOUT: + *error = "Timed out while waiting for server to respond"; + goto timeout; + + case LDAP_TIMELIMIT_EXCEEDED: + *error = "Time limit exceeded"; + timeout: + exec_trigger(NULL, inst->cs, "modules.ldap.timeout", true); + /* FALL-THROUGH */ + + case LDAP_BUSY: + case LDAP_UNAVAILABLE: + case LDAP_SERVER_DOWN: + status = LDAP_PROC_RETRY; + goto error_string; + + case LDAP_INVALID_CREDENTIALS: + case LDAP_CONSTRAINT_VIOLATION: + status = LDAP_PROC_REJECT; + goto error_string; + + case LDAP_OPERATIONS_ERROR: + if (inst->chase_referrals) { + *error = "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information."; + } else { + *error = "Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration " + "for details."; + } + + /* FALL-THROUGH */ + default: + status = LDAP_PROC_ERROR; + + error_string: + if (!*error) *error = ldap_err2string(lib_errno); + + if (!extra || ((lib_errno == srv_errno) && !our_err && !srv_err)) break; + + /* + * Output the error codes from the library and server + */ + p = talloc_zero_array(conn, char, 1); + if (!p) break; + + if (lib_errno != srv_errno) { + a = talloc_asprintf_append(p, "LDAP lib error: %s (%u), srv error: %s (%u). ", + ldap_err2string(lib_errno), lib_errno, + ldap_err2string(srv_errno), srv_errno); + if (!a) { + talloc_free(p); + break; + } + + p = a; + } + + if (our_err) { + a = talloc_asprintf_append_buffer(p, "%s. ", our_err); + if (!a) { + talloc_free(p); + break; + } + + p = a; + } + + if (srv_err) { + a = talloc_asprintf_append_buffer(p, "Server said: %s. ", srv_err); + if (!a) { + talloc_free(p); + break; + } + + p = a; + } + + *extra = p; + + break; + } + + /* + * Cleanup memory + */ + if (srv_err) ldap_memfree(srv_err); + if (part_dn) ldap_memfree(part_dn); + + talloc_free(our_err); + + if ((status < 0) && *result) { + ldap_msgfree(*result); + *result = NULL; + } + + return status; +} + +/** Bind to the LDAP directory as a user + * + * Performs a simple bind to the LDAP directory, and handles any errors that occur. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request, this may be NULL, in which case all debug logging is done with radlog. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn of the user, may be NULL to bind anonymously. + * @param[in] password of the user, may be NULL if no password is specified. + * @param[in] sasl mechanism to use for bind, and additional parameters. + * @param[in] retry if the server is down. + * @return One of the LDAP_PROC_* (#ldap_rcode_t) values. + */ +ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, + char const *password, ldap_sasl *sasl, bool retry) +{ + ldap_rcode_t status = LDAP_PROC_ERROR; + + int msgid = -1; + + char const *error = NULL; + char *extra = NULL; + + int i, num; + + rad_assert(*pconn && (*pconn)->handle); + rad_assert(!retry || inst->pool); + +#ifndef WITH_SASL + if (sasl && sasl->mech) { + REDEBUG("Server is built without SASL, but is being asked to do SASL."); + return status; + } +#endif + + /* + * Bind as anonymous user + */ + if (!dn) dn = ""; + + /* + * For sanity, for when no connections are viable, + * and we can't make a new one. + */ + num = retry ? fr_connection_pool_get_num(inst->pool) : 0; + for (i = num; i >= 0; i--) { +#ifdef WITH_SASL + if (sasl && sasl->mech) { + status = rlm_ldap_sasl_interactive(inst, request, *pconn, dn, password, sasl, + &error, &extra); + } else +#endif + { + msgid = ldap_bind((*pconn)->handle, dn, password, LDAP_AUTH_SIMPLE); + + /* We got a valid message ID */ + if (msgid >= 0) { + if (request) { + RDEBUG2("Waiting for bind result..."); + } else { + DEBUG2("rlm_ldap (%s): Waiting for bind result...", inst->name); + } + } + + status = rlm_ldap_result(inst, *pconn, msgid, dn, NULL, &error, &extra); + } + + switch (status) { + case LDAP_PROC_SUCCESS: + LDAP_DBG_REQ("Bind successful"); + break; + + case LDAP_PROC_NOT_PERMITTED: + LDAP_ERR_REQ("Bind was not permitted: %s", error); + LDAP_EXT_REQ(); + + break; + + case LDAP_PROC_REJECT: + LDAP_ERR_REQ("Bind credentials incorrect: %s", error); + LDAP_EXT_REQ(); + + break; + + case LDAP_PROC_RETRY: + if (retry) { + *pconn = fr_connection_reconnect(inst->pool, *pconn); + if (*pconn) { + LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...", + *dn ? dn : "(anonymous)", inst->server, error); + + talloc_free(extra); /* don't leak debug info */ + + continue; + } + }; + status = LDAP_PROC_ERROR; + + /* + * Were not allowed to retry, or there are no more + * sockets, treat this as a hard failure. + */ + /* FALL-THROUGH */ + default: + LDAP_ERR_REQ("Bind with %s to %s failed: %s", *dn ? dn : "(anonymous)", + inst->server, error); + LDAP_EXT_REQ(); + + break; + } + + break; + } + + if (retry && (i < 0)) { + LDAP_ERR_REQ("Hit reconnection limit"); + status = LDAP_PROC_ERROR; + } + + talloc_free(extra); + + return status; /* caller closes the connection */ +} + +/** Search for something in the LDAP directory + * + * Binds as the administrative user and performs a search, dealing with any errors. + * + * @param[out] result Where to store the result. Must be freed with ldap_msgfree if LDAP_PROC_SUCCESS is returned. + * May be NULL in which case result will be automatically freed after use. + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn to use as base for the search. + * @param[in] scope to use (LDAP_SCOPE_BASE, LDAP_SCOPE_ONE, LDAP_SCOPE_SUB). + * @param[in] filter to use, should be pre-escaped. + * @param[in] attrs to retrieve. + * @param[in] serverctrls Search controls to pass to the server. May be NULL. + * @param[in] clientctrls Search controls for ldap_search. May be NULL. + * @return One of the LDAP_PROC_* (#ldap_rcode_t) values. + */ +ldap_rcode_t rlm_ldap_search(LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t **pconn, + char const *dn, int scope, char const *filter, char const * const *attrs, + LDAPControl **serverctrls, LDAPControl **clientctrls) +{ + ldap_rcode_t status = LDAP_PROC_ERROR; + LDAPMessage *our_result = NULL; + + int msgid; // Message id returned by + // ldap_search_ext. + + int count = 0; // Number of results we got. + + struct timeval tv; // Holds timeout values. + + char const *error = NULL; + char *extra = NULL; + + int i; + + rad_assert(*pconn && (*pconn)->handle); + + /* + * OpenLDAP library doesn't declare attrs array as const, but + * it really should be *sigh*. + */ + char **search_attrs; + memcpy(&search_attrs, &attrs, sizeof(attrs)); + + /* + * Do all searches as the admin user. + */ + if ((*pconn)->rebound) { + status = rlm_ldap_bind(inst, request, pconn, (*pconn)->inst->admin_identity, + (*pconn)->inst->admin_password, &(*pconn)->inst->admin_sasl, true); + if (status != LDAP_PROC_SUCCESS) { + return LDAP_PROC_ERROR; + } + + rad_assert(*pconn); + + (*pconn)->rebound = false; + } + + if (filter) { + LDAP_DBG_REQ("Performing search in \"%s\" with filter \"%s\", scope \"%s\"", dn, filter, + fr_int2str(ldap_scope, scope, "<INVALID>")); + } else { + LDAP_DBG_REQ("Performing unfiltered search in \"%s\", scope \"%s\"", dn, + fr_int2str(ldap_scope, scope, "<INVALID>")); + } + /* + * If LDAP search produced an error it should also be logged + * to the ld. result should pick it up without us + * having to pass it explicitly. + */ + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->res_timeout; + + /* + * For sanity, for when no connections are viable, + * and we can't make a new one. + */ + for (i = fr_connection_pool_get_num(inst->pool); i >= 0; i--) { + (void) ldap_search_ext((*pconn)->handle, dn, scope, filter, search_attrs, + 0, serverctrls, clientctrls, &tv, 0, &msgid); + + LDAP_DBG_REQ("Waiting for search result..."); + status = rlm_ldap_result(inst, *pconn, msgid, dn, &our_result, &error, &extra); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + /* + * Invalid DN isn't a failure when searching. + * The DN may be xlat expanded so may point directly + * to an LDAP object. If that can't be located, it's + * the same as notfound. + */ + case LDAP_PROC_BAD_DN: + LDAP_DBG_REQ("%s", error); + if (extra) LDAP_DBG_REQ("%s", extra); + break; + + case LDAP_PROC_RETRY: + *pconn = fr_connection_reconnect(inst->pool, *pconn); + if (*pconn) { + LDAP_DBGW_REQ("Search failed: %s. Got new socket, retrying...", error); + + talloc_free(extra); /* don't leak debug info */ + + continue; + } + + status = LDAP_PROC_ERROR; + + /* FALL-THROUGH */ + default: + LDAP_ERR_REQ("Failed performing search: %s", error); + if (extra) LDAP_ERR_REQ("%s", extra); + + goto finish; + } + + break; + } + + if (i < 0) { + LDAP_ERR_REQ("Hit reconnection limit"); + status = LDAP_PROC_ERROR; + + goto finish; + } + + count = ldap_count_entries((*pconn)->handle, our_result); + if (count < 0) { + LDAP_ERR_REQ("Error counting results: %s", rlm_ldap_error_str(*pconn)); + status = LDAP_PROC_ERROR; + + ldap_msgfree(our_result); + our_result = NULL; + } else if (count == 0) { + LDAP_DBG_REQ("Search returned no results"); + status = LDAP_PROC_NO_RESULT; + + ldap_msgfree(our_result); + our_result = NULL; + } + +finish: + talloc_free(extra); + + /* + * We always need to get the result to count entries, but the caller + * may not of requested one. If that's the case, free it, else write + * it to where our caller said. + */ + if (!result) { + if (our_result) ldap_msgfree(our_result); + } else { + *result = our_result; + } + + return status; +} + +/** Modify something in the LDAP directory + * + * Binds as the administrative user and attempts to modify an LDAP object. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn of the object to modify. + * @param[in] mods to make, see 'man ldap_modify' for more information. + * @return One of the LDAP_PROC_* (#ldap_rcode_t) values. + */ +ldap_rcode_t rlm_ldap_modify(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *dn, LDAPMod *mods[]) +{ + ldap_rcode_t status = LDAP_PROC_ERROR; + + int msgid; // Message id returned by ldap_search_ext. + + char const *error = NULL; + char *extra = NULL; + + int i; + + rad_assert(*pconn && (*pconn)->handle); + + /* + * Perform all modifications as the admin user. + */ + if ((*pconn)->rebound) { + status = rlm_ldap_bind(inst, request, pconn, (*pconn)->inst->admin_identity, + (*pconn)->inst->admin_password, &(*pconn)->inst->admin_sasl, true); + if (status != LDAP_PROC_SUCCESS) { + return LDAP_PROC_ERROR; + } + + rad_assert(*pconn); + + (*pconn)->rebound = false; + } + + /* + * For sanity, for when no connections are viable, + * and we can't make a new one. + */ + for (i = fr_connection_pool_get_num(inst->pool); i >= 0; i--) { + RDEBUG2("Modifying object with DN \"%s\"", dn); + (void) ldap_modify_ext((*pconn)->handle, dn, mods, NULL, NULL, &msgid); + + RDEBUG2("Waiting for modify result..."); + status = rlm_ldap_result(inst, *pconn, msgid, dn, NULL, &error, &extra); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_RETRY: + *pconn = fr_connection_reconnect(inst->pool, *pconn); + if (*pconn) { + RWDEBUG("Modify failed: %s. Got new socket, retrying...", error); + + talloc_free(extra); /* don't leak debug info */ + continue; + } + + status = LDAP_PROC_ERROR; + + /* FALL-THROUGH */ + default: + REDEBUG("Failed modifying object: %s", error); + REDEBUG("%s", extra); + + goto finish; + } + + break; + } + + if (i < 0) { + LDAP_ERR_REQ("Hit reconnection limit"); + status = LDAP_PROC_ERROR; + } + +finish: + talloc_free(extra); + + return status; +} + +/** Retrieve the DN of a user object + * + * Retrieves the DN of a user and adds it to the control list as LDAP-UserDN. Will also retrieve any + * attributes passed and return the result in *result. + * + * This potentially allows for all authorization and authentication checks to be performed in one + * ldap search operation, which is a big bonus given the number of crappy, slow *cough*AD*cough* + * LDAP directory servers out there. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] attrs Additional attributes to retrieve, may be NULL. + * @param[in] force Query even if the User-DN already exists. + * @param[out] result Where to write the result, may be NULL in which case result is discarded. + * @param[out] rcode The status of the operation, one of the RLM_MODULE_* codes. + * @return The user's DN or NULL on error. + */ +char const *rlm_ldap_find_user(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode) +{ + static char const *tmp_attrs[] = { NULL }; + + ldap_rcode_t status; + VALUE_PAIR *vp = NULL; + LDAPMessage *tmp_msg = NULL, *entry = NULL; + int ldap_errno; + int cnt; + char *dn = NULL; + char const *filter = NULL; + char filter_buff[LDAP_MAX_FILTER_STR_LEN]; + char const *base_dn; + char base_dn_buff[LDAP_MAX_DN_STR_LEN]; + LDAPControl *serverctrls[] = { inst->userobj_sort_ctrl, NULL }; + + bool freeit = false; //!< Whether the message should + //!< be freed after being processed. + + *rcode = RLM_MODULE_FAIL; + + if (!result) { + result = &tmp_msg; + freeit = true; + } + *result = NULL; + + if (!attrs) { + memset(&attrs, 0, sizeof(tmp_attrs)); + } + + /* + * If the caller isn't looking for the result we can just return the current userdn value. + */ + if (!force) { + vp = fr_pair_find_by_da(request->config, inst->user_dn_da, TAG_ANY); + if (vp) { + RDEBUG("Using user DN from request \"%s\"", vp->vp_strvalue); + *rcode = RLM_MODULE_OK; + return vp->vp_strvalue; + } + } + + /* + * Perform all searches as the admin user. + */ + if ((*pconn)->rebound) { + status = rlm_ldap_bind(inst, request, pconn, (*pconn)->inst->admin_identity, + (*pconn)->inst->admin_password, &(*pconn)->inst->admin_sasl, true); + if (status != LDAP_PROC_SUCCESS) { + *rcode = RLM_MODULE_FAIL; + return NULL; + } + + rad_assert(*pconn); + + (*pconn)->rebound = false; + } + + if (inst->userobj_filter) { + if (tmpl_expand(&filter, filter_buff, sizeof(filter_buff), request, inst->userobj_filter, + rlm_ldap_escape_func, NULL) < 0) { + REDEBUG("Unable to create filter"); + *rcode = RLM_MODULE_INVALID; + + return NULL; + } + } + + if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, + inst->userobj_base_dn, rlm_ldap_escape_func, NULL) < 0) { + REDEBUG("Unable to create base_dn"); + *rcode = RLM_MODULE_INVALID; + + return NULL; + } + + status = rlm_ldap_search(result, inst, request, pconn, base_dn, + inst->userobj_scope, filter, attrs, serverctrls, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_BAD_DN: + case LDAP_PROC_NO_RESULT: + *rcode = RLM_MODULE_NOTFOUND; + return NULL; + + default: + *rcode = RLM_MODULE_FAIL; + return NULL; + } + + rad_assert(*pconn); + + /* + * Forbid the use of unsorted search results that + * contain multiple entries, as it's a potential + * security issue, and likely non deterministic. + */ + if (!inst->userobj_sort_ctrl) { + cnt = ldap_count_entries((*pconn)->handle, *result); + if (cnt > 1) { + REDEBUG("Ambiguous search result, returned %i unsorted entries (should return 1 or 0). " + "Enable sorting, or specify a more restrictive base_dn, filter or scope", cnt); + REDEBUG("The following entries were returned:"); + RINDENT(); + for (entry = ldap_first_entry((*pconn)->handle, *result); + entry; + entry = ldap_next_entry((*pconn)->handle, entry)) { + dn = ldap_get_dn((*pconn)->handle, entry); + REDEBUG("%s", dn); + ldap_memfree(dn); + } + REXDENT(); + *rcode = RLM_MODULE_INVALID; + goto finish; + } + } + + entry = ldap_first_entry((*pconn)->handle, *result); + if (!entry) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", + ldap_err2string(ldap_errno)); + + goto finish; + } + + dn = ldap_get_dn((*pconn)->handle, entry); + if (!dn) { + ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); + + goto finish; + } + rlm_ldap_normalise_dn(dn, dn); + + /* + * We can't use fr_pair_make here to copy the value into the + * attribute, as the dn must be copied into the attribute + * verbatim (without de-escaping). + * + * Special chars are pre-escaped by libldap, and because + * we pass the string back to libldap we must not alter it. + */ + RDEBUG("User object found at DN \"%s\"", dn); + vp = fr_pair_afrom_da(request, inst->user_dn_da); + if (vp) { + fr_pair_add(&request->config, vp); + fr_pair_value_strcpy(vp, dn); + *rcode = RLM_MODULE_OK; + } + ldap_memfree(dn); + +finish: + if ((freeit || (*rcode != RLM_MODULE_OK)) && *result) { + ldap_msgfree(*result); + *result = NULL; + } + + return vp ? vp->vp_strvalue : NULL; +} + +/** Check for presence of access attribute in result + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in] conn used to retrieve access attributes. + * @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search. + * @return + * - #RLM_MODULE_USERLOCK if the user was denied access. + * - #RLM_MODULE_OK otherwise. + */ +rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t const *conn, LDAPMessage *entry) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + struct berval **values = NULL; + + values = ldap_get_values_len(conn->handle, entry, inst->userobj_access_attr); + if (values) { + if (inst->access_positive) { + if ((values[0]->bv_len >= 5) && (strncasecmp(values[0]->bv_val, "false", 5) == 0)) { + RDEBUG("\"%s\" attribute exists but is set to 'false' - user locked out", + inst->userobj_access_attr); + rcode = RLM_MODULE_USERLOCK; + } + /* RLM_MODULE_OK set above... */ + } else if ((values[0]->bv_len < 5) || (strncasecmp(values[0]->bv_val, "false", 5) != 0)) { + RDEBUG("\"%s\" attribute exists - user locked out", inst->userobj_access_attr); + rcode = RLM_MODULE_USERLOCK; + } + ldap_value_free_len(values); + } else if (inst->access_positive) { + RDEBUG("No \"%s\" attribute - user locked out", inst->userobj_access_attr); + rcode = RLM_MODULE_USERLOCK; + } + + return rcode; +} + +/** Verify we got a password from the search + * + * Checks to see if after the LDAP to RADIUS mapping has been completed that a reference password. + * + * @param inst rlm_ldap configuration. + * @param request Current request. + */ +void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request) +{ + /* + * More warning messages for people who can't be bothered to read the documentation. + * + * Expect_password is set when we process the mapping, and is only true if there was a mapping between + * an LDAP attribute and a password reference attribute in the control list. + */ + if (inst->expect_password && (rad_debug_lvl > 1)) { + if (!fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) && + !fr_pair_find_by_num(request->config, PW_NT_PASSWORD, 0, TAG_ANY) && + !fr_pair_find_by_num(request->config, PW_USER_PASSWORD, 0, TAG_ANY) && + !fr_pair_find_by_num(request->config, PW_PASSWORD_WITH_HEADER, 0, TAG_ANY) && + !fr_pair_find_by_num(request->config, PW_CRYPT_PASSWORD, 0, TAG_ANY)) { + RWDEBUG("No \"known good\" password added. Ensure the admin user has permission to " + "read the password attribute"); + RWDEBUG("PAP authentication will *NOT* work with Active Directory (if that is what you " + "were trying to configure)"); + } + } +} + +#if LDAP_SET_REBIND_PROC_ARGS == 3 +/** Callback for OpenLDAP to rebind and chase referrals + * + * Called by OpenLDAP when it receives a referral and has to rebind. + * + * @param handle to rebind. + * @param url to bind to. + * @param request that triggered the rebind. + * @param msgid that triggered the rebind. + * @param ctx rlm_ldap configuration. + */ +static int rlm_ldap_rebind(LDAP *handle, LDAP_CONST char *url, UNUSED ber_tag_t request, UNUSED ber_int_t msgid, + void *ctx) +{ + ldap_rcode_t status; + ldap_handle_t *conn = talloc_get_type_abort(ctx, ldap_handle_t); + + int ldap_errno; + + rad_assert(handle == conn->handle); + + DEBUG("rlm_ldap (%s): Rebinding to URL %s", conn->inst->name, url); + + status = rlm_ldap_bind(conn->inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, + &(conn->inst->admin_sasl), false); + if (status != LDAP_PROC_SUCCESS) { + ldap_get_option(handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno); + + return ldap_errno; + } + + + return LDAP_SUCCESS; +} +#endif + +int rlm_ldap_global_init(rlm_ldap_t *inst) +{ + int ldap_errno; + +#define do_ldap_global_option(_option, _name, _value) \ + if (ldap_set_option(NULL, _option, _value) != LDAP_OPT_SUCCESS) { \ + ldap_get_option(NULL, LDAP_OPT_ERROR_NUMBER, &ldap_errno); \ + ERROR("Failed setting global option %s: %s", _name, \ + (ldap_errno != LDAP_SUCCESS) ? ldap_err2string(ldap_errno) : "Unknown error"); \ + return -1;\ + } + +#define maybe_ldap_global_option(_option, _name, _value) \ + if (_value) do_ldap_global_option(_option, _name, _value) + +#ifdef LDAP_OPT_DEBUG_LEVEL + /* + * Can't use do_ldap_global_option + */ + if (inst->ldap_debug) do_ldap_global_option(LDAP_OPT_DEBUG_LEVEL, "ldap_debug", &(inst->ldap_debug)); +#endif + +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE + /* + * OpenLDAP will error out if we attempt to set + * this on a handle. Presumably it's global in + * OpenSSL too. + */ + maybe_ldap_global_option(LDAP_OPT_X_TLS_RANDOM_FILE, "random_file", inst->tls_random_file); +#endif + return 0; +} + +/** Close and delete a connection + * + * Unbinds the LDAP connection, informing the server and freeing any memory, then releases the memory used by the + * connection handle. + * + * @param conn to destroy. + * @return always indicates success. + */ +static int _mod_conn_free(ldap_handle_t *conn) +{ + if (conn->handle) { + DEBUG3("rlm_ldap: Closing libldap handle %p", conn->handle); +#ifdef HAVE_LDAP_UNBIND_EXT_S + ldap_unbind_ext_s(conn->handle, NULL, NULL); +#else + ldap_unbind_s(conn->handle); +#endif + } + + return 0; +} + +/** Create and return a new connection + * + * Create a new ldap connection and allocate memory for a new rlm_handle_t + */ +void *mod_conn_create(TALLOC_CTX *ctx, void *instance) +{ + ldap_rcode_t status; + + int ldap_errno, ldap_version; + struct timeval tv; + + rlm_ldap_t *inst = instance; + ldap_handle_t *conn; + + /* + * Allocate memory for the handle. + */ + conn = talloc_zero(ctx, ldap_handle_t); + if (!conn) return NULL; + talloc_set_destructor(conn, _mod_conn_free); + + conn->inst = inst; + conn->rebound = false; + + DEBUG("rlm_ldap (%s): Connecting to %s", inst->name, inst->server); +#ifdef HAVE_LDAP_INITIALIZE + ldap_errno = ldap_initialize(&conn->handle, inst->server); + if (ldap_errno != LDAP_SUCCESS) { + LDAP_ERR("ldap_initialize failed: %s", ldap_err2string(ldap_errno)); + goto error; + } +#else + conn->handle = ldap_init(inst->server, inst->port); + if (!conn->handle) { + LDAP_ERR("ldap_init failed"); + goto error; + } +#endif + DEBUG3("rlm_ldap (%s): New libldap handle %p", inst->name, conn->handle); + + /* + * We now have a connection structure, but no actual connection. + * + * Set a bunch of LDAP options, using common code. + */ +#define do_ldap_option(_option, _name, _value) \ + if (ldap_set_option(conn->handle, _option, _value) != LDAP_OPT_SUCCESS) { \ + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno); \ + LDAP_ERR("Failed setting connection option %s: %s", _name, \ + (ldap_errno != LDAP_SUCCESS) ? ldap_err2string(ldap_errno) : "Unknown error"); \ + goto error;\ + } + +#define maybe_ldap_option(_option, _name, _value) \ + if (_value) do_ldap_option(_option, _name, _value) + + /* + * Leave "dereference" unset to use the OpenLDAP default. + */ + if (inst->dereference_str) { + do_ldap_option(LDAP_OPT_DEREF, "dereference", &(inst->dereference)); + } + + /* + * Leave "chase_referrals" unset to use the OpenLDAP default. + */ + if (!inst->chase_referrals_unset) { + if (inst->chase_referrals) { + do_ldap_option(LDAP_OPT_REFERRALS, "chase_referrals", LDAP_OPT_ON); + + if (inst->rebind == true) { +#if LDAP_SET_REBIND_PROC_ARGS == 3 + ldap_set_rebind_proc(conn->handle, rlm_ldap_rebind, conn); +#endif + } + } else { + do_ldap_option(LDAP_OPT_REFERRALS, "chase_referrals", LDAP_OPT_OFF); + } + } + +#ifdef LDAP_OPT_NETWORK_TIMEOUT + if (inst->net_timeout) { + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->net_timeout; + + do_ldap_option(LDAP_OPT_NETWORK_TIMEOUT, "net_timeout", &tv); + } +#endif + + do_ldap_option(LDAP_OPT_TIMELIMIT, "srv_timelimit", &(inst->srv_timelimit)); + + ldap_version = LDAP_VERSION3; + do_ldap_option(LDAP_OPT_PROTOCOL_VERSION, "ldap_version", &ldap_version); + +#ifdef LDAP_OPT_X_KEEPALIVE_IDLE + do_ldap_option(LDAP_OPT_X_KEEPALIVE_IDLE, "keepalive idle", &(inst->keepalive_idle)); +#endif + +#ifdef LDAP_OPT_X_KEEPALIVE_PROBES + do_ldap_option(LDAP_OPT_X_KEEPALIVE_PROBES, "keepalive probes", &(inst->keepalive_probes)); +#endif + +#ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL + do_ldap_option(LDAP_OPT_X_KEEPALIVE_INTERVAL, "keepalive interval", &(inst->keepalive_interval)); +#endif + +#ifdef HAVE_LDAP_START_TLS_S + /* + * Set all of the TLS options + */ + if (inst->tls_mode) { + do_ldap_option(LDAP_OPT_X_TLS, "tls_mode", &(inst->tls_mode)); + } + + maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "ca_file", inst->tls_ca_file); + maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "ca_path", inst->tls_ca_path); + + + /* + * Set certificate options + */ + maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", inst->tls_certificate_file); + maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", inst->tls_private_key_file); + +# ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (inst->tls_require_cert_str) { + do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "require_cert", &inst->tls_require_cert); + } +# endif + +# ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN + if (inst->tls_min_version_str) { + do_ldap_option(LDAP_OPT_X_TLS_PROTOCOL_MIN, "tls_min_version", &inst->tls_min_version); + } +# endif + + /* + * Counter intuitively the TLS context appears to need to be initialised + * after all the TLS options are set on the handle. + */ +# ifdef LDAP_OPT_X_TLS_NEWCTX + { + /* Always use the new TLS configuration context */ + int is_server = 0; + do_ldap_option(LDAP_OPT_X_TLS_NEWCTX, "new TLS context", &is_server); + + } +# endif + + /* + * And finally start the TLS code. + */ + if (inst->start_tls) { + if (inst->port == 636) { + WARN("Told to Start TLS on LDAPS port this will probably fail, please correct the " + "configuration"); + } + + if (ldap_start_tls_s(conn->handle, NULL, NULL) != LDAP_SUCCESS) { + ldap_get_option(conn->handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno); + + LDAP_ERR("Could not start TLS: %s", ldap_err2string(ldap_errno)); + goto error; + } + } +#endif /* HAVE_LDAP_START_TLS_S */ + + if (inst->sasl_secprops) { + do_ldap_option(LDAP_OPT_X_SASL_SECPROPS, "SASL_SECPROPS", inst->sasl_secprops); + } + + status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, + &(conn->inst->admin_sasl), false); + if (status != LDAP_PROC_SUCCESS) { + goto error; + } + + return conn; + +error: + talloc_free(conn); + + return NULL; +} + +/** Gets an LDAP socket from the connection pool + * + * Retrieve a socket from the connection pool, or NULL on error (of if no sockets are available). + * + * @param inst rlm_ldap configuration. + * @param request Current request (may be NULL). + */ +ldap_handle_t *mod_conn_get(rlm_ldap_t const *inst, UNUSED REQUEST *request) +{ + return fr_connection_get(inst->pool); +} + +/** Frees an LDAP socket back to the connection pool + * + * If the socket was rebound chasing a referral onto another server then we destroy it. + * If the socket was rebound to another user on the same server, we let the next caller rebind it. + * + * @param inst rlm_ldap configuration. + * @param conn to release. + */ +void mod_conn_release(rlm_ldap_t const *inst, ldap_handle_t *conn) +{ + /* + * Could have already been free'd due to a previous error. + */ + if (!conn) return; + + fr_connection_release(inst->pool, conn); + return; +} diff --git a/src/modules/rlm_ldap/ldap.h b/src/modules/rlm_ldap/ldap.h new file mode 100644 index 0000000..f3e0667 --- /dev/null +++ b/src/modules/rlm_ldap/ldap.h @@ -0,0 +1,486 @@ +/** + * $Id$ + * @file ldap.h + * @brief LDAP authorization and authentication module headers. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013 Network RADIUS SARL<info@networkradius.com> + * @copyright 2013-2015 The FreeRADIUS Server Project. + */ +#ifndef _RLM_LDAP_H +#define _RLM_LDAP_H + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/modules.h> + +/* + * We're mostly using the new API now, but ldap_bind + * is in the list of deprecated functions, at we may + * always need to support that. + */ +#define LDAP_DEPRECATED 1 +USES_APPLE_DEPRECATED_API /* Apple wants us to use OpenDirectory Framework, we don't want that */ +#include <lber.h> +#include <ldap.h> +#include "config.h" + +/* + * Ensure the have the ldap_create_sort_keylist() + * function too, else we can't use ldap_create_sort_control() + */ +#if !defined(LDAP_CREATE_SORT_KEYLIST) || !defined(LDAP_FREE_SORT_KEYLIST) +# undef HAVE_LDAP_CREATE_SORT_CONTROL +#endif + +/* + * Because the LTB people define LDAP_VENDOR_VERSION_PATCH + * as X, which precludes its use in printf statements *sigh* + * + * Identifiers that are not macros, all evaluate to 0, + * which is why this works. + */ +#if !defined(LDAP_VENDOR_VERSION_PATCH) || LDAP_VENDOR_VERSION_PATCH == 0 +# undef LDAP_VENDOR_VERSION_PATCH +# define LDAP_VENDOR_VERSION_PATCH 0 +#endif + +/* + * For compatibility with other LDAP libraries + */ +#if !defined(LDAP_SCOPE_BASE) && defined(LDAP_SCOPE_BASEOBJECT) +# define LDAP_SCOPE_BASE LDAP_SCOPE_BASEOBJECT +#endif + +#if !defined(LDAP_SCOPE_ONE) && defined(LDAP_SCOPE_ONELEVEL) +# define LDAP_SCOPE_ONE LDAP_SCOPE_ONELEVEL +#endif + +#if !defined(LDAP_SCOPE_SUB) && defined(LDAP_SCOPE_SUBTREE) +# define LDAP_SCOPE_SUB LDAP_SCOPE_SUBTREE +#endif + +#if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER) +# define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER +#endif + +#ifndef LDAP_CONST +# define LDAP_CONST +#endif + +#if defined(HAVE_LDAP_URL_PARSE) && defined(HAVE_LDAP_IS_LDAP_URL) && defined(HAVE_LDAP_URL_DESC2STR) +# define LDAP_CAN_PARSE_URLS +#endif + +#define MOD_PREFIX "rlm_ldap" //!< The name of the module. + +#define LDAP_MAX_ATTRMAP 128 //!< Maximum number of mappings between LDAP and + //!< FreeRADIUS attributes. +#define LDAP_MAP_RESERVED 4 //!< Number of additional items to allocate in expanded + //!< attribute name arrays. Currently for enable attribute, + //!< group membership attribute, valuepair attribute, + //!< and profile attribute. + +#define LDAP_MAX_CACHEABLE 64 //!< Maximum number of groups we retrieve from the server for + //!< a given user. If more than this number are retrieve the + //!< module returns invalid. + +#define LDAP_MAX_GROUP_NAME_LEN 128 //!< Maximum name of a group name. +#define LDAP_MAX_ATTR_STR_LEN 256 //!< Maximum length of an xlat expanded LDAP attribute. +#define LDAP_MAX_FILTER_STR_LEN 1024 //!< Maximum length of an xlat expanded filter. +#define LDAP_MAX_DN_STR_LEN 1024 //!< Maximum length of an xlat expanded DN. + +#define LDAP_VIRTUAL_DN_ATTR "dn" //!< 'Virtual' attribute which maps to the DN of the object. + +typedef struct ldap_acct_section { + CONF_SECTION *cs; //!< Section configuration. + + char const *reference; //!< Configuration reference string. +} ldap_acct_section_t; + +typedef struct ldap_sasl { + char const *mech; //!< SASL mech(s) to try. + char const *proxy; //!< Identity to proxy. + char const *realm; //!< Kerberos realm. +} ldap_sasl; + +typedef struct ldap_sasl_dynamic { + vp_tmpl_t *mech; //!< SASL mech(s) to try. + vp_tmpl_t *proxy; //!< Identity to proxy. + vp_tmpl_t *realm; //!< Kerberos realm. +} ldap_sasl_dynamic; + +typedef struct ldap_instance { + CONF_SECTION *cs; //!< Main configuration section for this instance. + fr_connection_pool_t *pool; //!< Connection pool instance. + + char const *config_server; //!< Server set in the config. + char *server; //!< Initial server to bind to. + uint16_t port; //!< Port to use when binding to the server. + + char const *admin_identity; //!< Identity we bind as when we need to query the LDAP + //!< directory. + char const *admin_password; //!< Password used in administrative bind. + + ldap_sasl admin_sasl; //!< SASL parameters used when binding as the admin. + + const char *sasl_secprops; //!< SASL Security Properties to set. + + char const *dereference_str; //!< When to dereference (never, searching, finding, always) + int dereference; //!< libldap value specifying dereferencing behaviour. + + bool chase_referrals; //!< If the LDAP server returns a referral to another server + //!< or point in the tree, follow it, establishing new + //!< connections and binding where necessary. + bool chase_referrals_unset; //!< If true, use the OpenLDAP defaults for chase_referrals. + + bool rebind; //!< Controls whether we set an ldad_rebind_proc function + //!< and so determines if we can bind to other servers whilst + //!< chasing referrals. If this is false, we will still chase + //!< referrals on the same server, but won't bind to other + //!< servers. + + uint32_t ldap_debug; //!< Debug flag for the SDK. + + char const *name; //!< Instance name. + + bool expect_password; //!< True if the user_map included a mapping between an LDAP + //!< attribute and one of our password reference attributes. + + /* + * RADIUS attribute to LDAP attribute maps + */ + vp_map_t *user_map; //!< Attribute map applied to users and profiles. + + /* + * User object attributes and filters + */ + vp_tmpl_t *userobj_filter; //!< Filter to retrieve only user objects. + vp_tmpl_t *userobj_base_dn; //!< DN to search for users under. + char const *userobj_scope_str; //!< Scope (sub, one, base). + char const *userobj_sort_by; //!< List of attributes to sort by. + LDAPControl *userobj_sort_ctrl; //!< Server side sort control. + + int userobj_scope; //!< Search scope. + + char const *user_dn; //!< for multiple LDAP modules + DICT_ATTR const *user_dn_da; //!< cached user DN + + char const *userobj_membership_attr; //!< Attribute that describes groups the user is a member of. + char const *userobj_access_attr; //!< Attribute to check to see if the user should be locked out. + bool access_positive; //!< If true the presence of the attribute will allow access, + //!< else it will deny access. + + char const *valuepair_attr; //!< Generic dynamic mapping attribute, contains a RADIUS + //!< attribute and value. + + ldap_sasl_dynamic user_sasl; //!< SASL parameters used when binding as the user. + + /* + * Group object attributes and filters + */ + char const *groupobj_filter; //!< Filter to retrieve only group objects. + vp_tmpl_t *groupobj_base_dn; //!< DN to search for users under. + char const *groupobj_scope_str; //!< Scope (sub, one, base). + int groupobj_scope; //!< Search scope. + + char const *groupobj_name_attr; //!< The name of the group. + char const *groupobj_membership_filter; //!< Filter to only retrieve groups which contain + //!< the user as a member. + + bool cacheable_group_name; //!< If true the server will determine complete set of group + //!< memberships for the current user object, and perform any + //!< resolution necessary to determine the names of those + //!< groups, then right them to the control list (LDAP-Group). + + bool cacheable_group_dn; //!< If true the server will determine complete set of group + //!< memberships for the current user object, and perform any + //!< resolution necessary to determine the DNs of those groups, + //!< then right them to the control list (LDAP-GroupDN). + + char const *cache_attribute; //!< Sets the attribute we use when creating and retrieving + //!< cached group memberships. + + DICT_ATTR const *cache_da; //!< The DA associated with this specific instance of the + //!< rlm_ldap module. + + DICT_ATTR const *group_da; //!< The DA associated with this specific instance of the + //!< rlm_ldap module. + + bool allow_dangling_group_refs; //!< Don't error if we fail to resolve a group DN referenced + ///< from a user object. + + + /* + * Dynamic clients + */ + char const *clientobj_filter; //!< Filter to retrieve only client objects. + char const *clientobj_base_dn; //!< DN to search for clients under. + char const *clientobj_scope_str; //!< Scope (sub, one, base). + int clientobj_scope; //!< Search scope. + + bool do_clients; //!< If true, attempt to load clients on instantiation. + + /* + * Profiles + */ + vp_tmpl_t *default_profile; //!< If this is set, we will search for a profile object + //!< with this name, and map any attributes it contains. + //!< No value should be set if profiles are not being used + //!< as there is an associated performance penalty. + char const *profile_attr; //!< Attribute that identifies profiles to apply. May appear + //!< in userobj or groupobj. + vp_tmpl_t *profile_filter; //!< Filter to retrieve only retrieve group objects. + + /* + * Accounting + */ + ldap_acct_section_t *postauth; //!< Modify mappings for post-auth. + ldap_acct_section_t *accounting; //!< Modify mappings for accounting. + + /* + * TLS items. We should really normalize these with the + * TLS code in 3.0. + */ + int tls_mode; + bool start_tls; //!< Send the Start TLS message to the LDAP directory + //!< to start encrypted communications using the standard + //!< LDAP port. + + char const *tls_ca_file; //!< Sets the full path to a CA certificate (used to validate + //!< the certificate the server presents). + + char const *tls_ca_path; //!< Sets the path to a directory containing CA certificates. + + char const *tls_certificate_file; //!< Sets the path to the public certificate file we present + //!< to the servers. + + char const *tls_private_key_file; //!< Sets the path to the private key for our public + //!< certificate. + + char const *tls_random_file; //!< Path to the random file if /dev/random and /dev/urandom + //!< are unavailable. + + char const *tls_require_cert_str; //!< Sets requirements for validating the certificate the + //!< server presents. + + int tls_require_cert; //!< OpenLDAP constant representing the require cert string. + + char const *tls_min_version_str; //!< Minimum TLS version + int tls_min_version; + + /* + * Options + */ + uint32_t net_timeout; //!< How long we wait for new connections to the LDAP server + //!< to be established. + uint32_t res_timeout; //!< How long we wait for a result from the server. + uint32_t srv_timelimit; //!< How long the server should spent on a single request + //!< (also bounded by value on the server). + +#ifdef WITH_EDIR + /* + * eDir support + */ + bool edir; //!< If true attempt to retrieve the user's cleartext password + //!< using the Universal Password feature of Novell eDirectory. + bool edir_autz; //!< If true, and we have the Universal Password, bind with it + //!< to perform additional authorisation checks. +#endif + /* + * For keep-alives. + */ +#ifdef LDAP_OPT_X_KEEPALIVE_IDLE + uint32_t keepalive_idle; //!< Number of seconds a connections needs to remain idle + //!< before TCP starts sending keepalive probes. +#endif +#ifdef LDAP_OPT_X_KEEPALIVE_PROBES + uint32_t keepalive_probes; //!< Number of missed timeouts before the connection is + //!< dropped. +#endif +#ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL + uint32_t keepalive_interval; //!< Interval between keepalive probes. +#endif + + LDAP *handle; //!< Hack for OpenLDAP libldap global initialisation. +} rlm_ldap_t; + +/** Tracks the state of a libldap connection handle + * + */ +typedef struct ldap_handle { + LDAP *handle; //!< libldap handle. + bool rebound; //!< Whether the connection has been rebound to something + //!< other than the admin user. + rlm_ldap_t *inst; //!< rlm_ldap configuration. +} ldap_handle_t; + +/** Result of expanding the RHS of a set of maps + * + * Used to store the array of attributes we'll be querying for. + */ +typedef struct rlm_ldap_map_exp { + vp_map_t const *maps; //!< Head of list of maps we expanded the RHS of. + char const *attrs[LDAP_MAX_ATTRMAP + LDAP_MAP_RESERVED + 1]; //!< Reserve some space for access attributes + //!< and NULL termination. + TALLOC_CTX *ctx; //!< Context to allocate new attributes in. + int count; //!< Index on next free element. +} rlm_ldap_map_exp_t; + +/** Contains a collection of values + * + */ +typedef struct rlm_ldap_result { + struct berval **values; //!< libldap struct containing bv_val (char *) + //!< and length bv_len. + int count; //!< Number of values. +} rlm_ldap_result_t; + +/** Codes returned by rlm_ldap internal functions + * + */ +typedef enum { + LDAP_PROC_CONTINUE = 1, //!< Operation is in progress. + LDAP_PROC_SUCCESS = 0, //!< Operation was successfull. + + LDAP_PROC_ERROR = -1, //!< Unrecoverable library/server error. + + LDAP_PROC_RETRY = -2, //!< Transitory error, caller should retry the operation + //!< with a new connection. + + LDAP_PROC_NOT_PERMITTED = -3, //!< Operation was not permitted, either current user was + //!< locked out in the case of binds, or has insufficient + //!< access. + + LDAP_PROC_REJECT = -4, //!< Bind failed, user was rejected. + + LDAP_PROC_BAD_DN = -5, //!< Specified an invalid object in a bind or search DN. + + LDAP_PROC_NO_RESULT = -6 //!< Got no results. +} ldap_rcode_t; + +/* + * Some functions may be called with a NULL request structure, this + * simplifies switching certain messages from the request log to + * the main log. + */ +#define LDAP_INFO(fmt, ...) INFO("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_WARN(fmt, ...) WARN("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) + +#define LDAP_DBGW(fmt, ...) radlog(L_DBG_WARN, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_DBGW_REQ(fmt, ...) do { if (request) {RWDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBGW(fmt, ##__VA_ARGS__);}} while (0) + +#define LDAP_DBG(fmt, ...) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_DBG_REQ(fmt, ...) do { if (request) {RDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) + +#define LDAP_DBG2(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_DBG_REQ2(fmt, ...) do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) + +#define LDAP_DBG3(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_DBG_REQ3(fmt, ...) do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) + +#define LDAP_ERR(fmt, ...) ERROR("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) +#define LDAP_ERR_REQ(fmt, ...) do { if (request) {REDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_ERR(fmt, ##__VA_ARGS__);}} while (0) + +#define LDAP_EXT() if (extra) LDAP_ERR(extra) +#define LDAP_EXT_REQ() do { if (extra) { if (request) REDEBUG("%s", extra); else LDAP_ERR("%s", extra); }} while (0) + +extern FR_NAME_NUMBER const ldap_scope[]; +extern FR_NAME_NUMBER const ldap_tls_require_cert[]; + +/* + * ldap.c - Wrappers arounds OpenLDAP functions. + */ +size_t rlm_ldap_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg); + +bool rlm_ldap_is_dn(char const *in, size_t inlen); + +size_t rlm_ldap_normalise_dn(char *out, char const *in); + +ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen); + +ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, + char const *password, ldap_sasl *sasl, bool retry); + +char const *rlm_ldap_error_str(ldap_handle_t const *conn); + +ldap_rcode_t rlm_ldap_search(LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t **pconn, + char const *dn, int scope, char const *filter, char const * const *attrs, + LDAPControl **serverctrls, LDAPControl **clientctrls); + +ldap_rcode_t rlm_ldap_modify(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *dn, LDAPMod *mods[]); + +char const *rlm_ldap_find_user(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode); + +rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t const *conn, + LDAPMessage *entry); + +void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request); + +/* + * ldap.c - Callbacks for the connection pool API. + */ +ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn, + LDAPMessage **result, char const **error, char **extra); + +char *rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in); + +int rlm_ldap_global_init(rlm_ldap_t *inst) CC_HINT(nonnull); + +void *mod_conn_create(TALLOC_CTX *ctx, void *instance); + +ldap_handle_t *mod_conn_get(rlm_ldap_t const *inst, REQUEST *request); + +void mod_conn_release(rlm_ldap_t const *inst, ldap_handle_t *conn); + +/* + * groups.c - Group membership functions. + */ +rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + LDAPMessage *entry, char const *attr); + +rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn); + +rlm_rcode_t rlm_ldap_check_groupobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + VALUE_PAIR *check); + +rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *dn, VALUE_PAIR *check); + +rlm_rcode_t rlm_ldap_check_cached(rlm_ldap_t const *inst, REQUEST *request, VALUE_PAIR *check); + +/* + * attrmap.c - Attribute mapping code. + */ +int rlm_ldap_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx); + +int rlm_ldap_map_verify(vp_map_t *map, void *instance); + +int rlm_ldap_map_expand(rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps); + +int rlm_ldap_map_do(rlm_ldap_t const *inst, REQUEST *request, LDAP *handle, + rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry); + +/* + * clients.c - Dynamic clients (bulk load). + */ +int rlm_ldap_client_load(rlm_ldap_t const *inst, CONF_SECTION *tmpl, CONF_SECTION *cs); + +/* + * edir.c - Magic extensions for Novell + */ +int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *len); + +char const *edir_errstr(int code); + +/* + * sasl.s - SASL bind functions + */ +ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t *pconn, char const *dn, + char const *password, ldap_sasl *sasl, + char const **error, char **error_extra); +#endif diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c new file mode 100644 index 0000000..33e5a88 --- /dev/null +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -0,0 +1,1977 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file rlm_ldap.c + * @brief LDAP authorization and authentication module. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @author Alan DeKok <aland@freeradius.org> + * + * @copyright 2012,2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2013,2015 Network RADIUS SARL <info@networkradius.com> + * @copyright 2012 Alan DeKok <aland@freeradius.org> + * @copyright 1999-2013 The FreeRADIUS Server Project. + */ +RCSID("$Id$") + +#include <freeradius-devel/rad_assert.h> + +#include <stdarg.h> +#include <ctype.h> + +#include "ldap.h" + +/* + * Scopes + */ +FR_NAME_NUMBER const ldap_scope[] = { + { "sub", LDAP_SCOPE_SUB }, + { "one", LDAP_SCOPE_ONE }, + { "base", LDAP_SCOPE_BASE }, +#ifdef LDAP_SCOPE_CHILDREN + { "children", LDAP_SCOPE_CHILDREN }, +#endif + { NULL , -1 } +}; + +#ifdef LDAP_OPT_X_TLS_NEVER +FR_NAME_NUMBER const ldap_tls_require_cert[] = { + { "never", LDAP_OPT_X_TLS_NEVER }, + { "demand", LDAP_OPT_X_TLS_DEMAND }, + { "allow", LDAP_OPT_X_TLS_ALLOW }, + { "try", LDAP_OPT_X_TLS_TRY }, + { "hard", LDAP_OPT_X_TLS_HARD }, /* oh yes, just like that */ + + { NULL , -1 } +}; +#endif + +static FR_NAME_NUMBER const ldap_dereference[] = { + { "never", LDAP_DEREF_NEVER }, + { "searching", LDAP_DEREF_SEARCHING }, + { "finding", LDAP_DEREF_FINDING }, + { "always", LDAP_DEREF_ALWAYS }, + + { NULL , -1 } +}; + +static CONF_PARSER sasl_mech_dynamic[] = { + { "mech", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL | PW_TYPE_NOT_EMPTY, ldap_sasl_dynamic, mech), NULL }, + { "proxy", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, ldap_sasl_dynamic, proxy), NULL }, + { "realm", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, ldap_sasl_dynamic, realm), NULL }, + CONF_PARSER_TERMINATOR +}; + +static CONF_PARSER sasl_mech_static[] = { + { "mech", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, ldap_sasl, mech), NULL }, + { "proxy", FR_CONF_OFFSET(PW_TYPE_STRING, ldap_sasl, proxy), NULL }, + { "realm", FR_CONF_OFFSET(PW_TYPE_STRING, ldap_sasl, realm), NULL }, + CONF_PARSER_TERMINATOR +}; + +/* + * TLS Configuration + */ +static CONF_PARSER tls_config[] = { + /* + * Deprecated attributes + */ + { "cacertfile", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, rlm_ldap_t, tls_ca_file), NULL }, + { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_file), NULL }, + + { "cacertdir", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, rlm_ldap_t, tls_ca_path), NULL }, + { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_path), NULL }, + + { "certfile", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, rlm_ldap_t, tls_certificate_file), NULL }, + { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_certificate_file), NULL }, + + { "keyfile", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, rlm_ldap_t, tls_private_key_file), NULL }, // OK if it changes on HUP + { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_private_key_file), NULL }, // OK if it changes on HUP + + { "randfile", FR_CONF_OFFSET(PW_TYPE_FILE_EXISTS | PW_TYPE_DEPRECATED, rlm_ldap_t, tls_random_file), NULL }, + { "random_file", FR_CONF_OFFSET(PW_TYPE_FILE_EXISTS, rlm_ldap_t, tls_random_file), NULL }, + +#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN + { "tls_min_version", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, tls_min_version_str), NULL }, +#endif + + /* + * LDAP Specific TLS attributes + */ + { "start_tls", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, start_tls), "no" }, + { "require_cert", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, tls_require_cert_str), NULL }, + CONF_PARSER_TERMINATOR +}; + + +static CONF_PARSER profile_config[] = { + { "filter", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_ldap_t, profile_filter), "(&)" }, //!< Correct filter for when the DN is known. + { "attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, profile_attr), NULL }, + { "default", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_ldap_t, default_profile), NULL }, + CONF_PARSER_TERMINATOR +}; + +/* + * User configuration + */ +static CONF_PARSER user_config[] = { + { "filter", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_ldap_t, userobj_filter), NULL }, + { "scope", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, userobj_scope_str), "sub" }, + { "base_dn", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_ldap_t, userobj_base_dn), "" }, + { "sort_by", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, userobj_sort_by), NULL }, + + { "access_attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, userobj_access_attr), NULL }, + { "access_positive", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, access_positive), "yes" }, + + /* Should be deprecated */ + { "sasl", FR_CONF_OFFSET(PW_TYPE_SUBSECTION, rlm_ldap_t, user_sasl), (void const *) sasl_mech_dynamic }, + CONF_PARSER_TERMINATOR +}; + +/* + * Group configuration + */ +static CONF_PARSER group_config[] = { + { "filter", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, groupobj_filter), NULL }, + { "scope", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, groupobj_scope_str), "sub" }, + { "base_dn", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_ldap_t, groupobj_base_dn), "" }, + + { "name_attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, groupobj_name_attr), "cn" }, + { "membership_attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, userobj_membership_attr), NULL }, + { "membership_filter", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_ldap_t, groupobj_membership_filter), NULL }, + { "cacheable_name", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_name), "no" }, + { "cacheable_dn", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_dn), "no" }, + { "cache_attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, cache_attribute), NULL }, + { "allow_dangling_group_ref", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, allow_dangling_group_refs), "no" }, + CONF_PARSER_TERMINATOR +}; + +static CONF_PARSER client_config[] = { + { "filter", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, clientobj_filter), NULL }, + { "scope", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, clientobj_scope_str), "sub" }, + { "base_dn", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, clientobj_base_dn), "" }, + CONF_PARSER_TERMINATOR +}; + +/* + * Reference for accounting updates + */ +static const CONF_PARSER acct_section_config[] = { + { "reference", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, ldap_acct_section_t, reference), "." }, + CONF_PARSER_TERMINATOR +}; + +/* + * Various options that don't belong in the main configuration. + * + * Note that these overlap a bit with the connection pool code! + */ +static CONF_PARSER option_config[] = { + /* + * Debugging flags to the server + */ + { "ldap_debug", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, ldap_debug), "0x0000" }, + + { "dereference", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, dereference_str), NULL }, + + { "chase_referrals", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, chase_referrals), NULL }, + + { "rebind", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, rebind), NULL }, + + { "sasl_secprops", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, sasl_secprops), NULL }, + +#ifdef LDAP_OPT_NETWORK_TIMEOUT + /* timeout on network activity */ + { "net_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, net_timeout), "10" }, +#endif + + /* timeout for search results */ + { "res_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, res_timeout), "20" }, + + /* allow server unlimited time for search (server-side limit) */ + { "srv_timelimit", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, srv_timelimit), "20" }, + +#ifdef LDAP_OPT_X_KEEPALIVE_IDLE + { "idle", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, keepalive_idle), "60" }, +#endif +#ifdef LDAP_OPT_X_KEEPALIVE_PROBES + { "probes", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, keepalive_probes), "3" }, +#endif +#ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL + { "interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_ldap_t, keepalive_interval), "30" }, +#endif + CONF_PARSER_TERMINATOR +}; + + +static const CONF_PARSER module_config[] = { + { "server", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_MULTI, rlm_ldap_t, config_server), NULL }, /* Do not set to required */ + { "port", FR_CONF_OFFSET(PW_TYPE_SHORT, rlm_ldap_t, port), NULL }, + + { "identity", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, admin_identity), NULL }, + { "password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, rlm_ldap_t, admin_password), NULL }, + + { "sasl", FR_CONF_OFFSET(PW_TYPE_SUBSECTION, rlm_ldap_t, admin_sasl), (void const *) sasl_mech_static }, + + { "valuepair_attribute", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, valuepair_attr), NULL }, + + { "user_dn", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, user_dn), NULL }, + +#ifdef WITH_EDIR + /* support for eDirectory Universal Password */ + { "edir", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, edir), NULL }, /* NULL defaults to "no" */ + + /* + * Attempt to bind with the cleartext password we got from eDirectory + * Universal password for additional authorization checks. + */ + { "edir_autz", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, edir_autz), NULL }, /* NULL defaults to "no" */ +#endif + + { "read_clients", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, do_clients), NULL }, /* NULL defaults to "no" */ + + { "user", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) user_config }, + + { "group", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) group_config }, + + { "client", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) client_config }, + + { "profile", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) profile_config }, + + { "options", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) option_config }, + + { "tls", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) tls_config }, + CONF_PARSER_TERMINATOR +}; + +static ssize_t ldapquote_xlat(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t freespace) +{ + return rlm_ldap_escape_func(request, out, freespace, fmt, NULL); +} + +/** Expand an LDAP URL into a query, and return a string result from that query. + * + */ +static ssize_t ldap_xlat(void *instance, REQUEST *request, char const *fmt, char *out, size_t freespace) +{ + ldap_rcode_t status; + size_t len = 0; + rlm_ldap_t *inst = instance; + + LDAPURLDesc *ldap_url; + LDAPMessage *result = NULL; + LDAPMessage *entry = NULL; + + struct berval **values; + + ldap_handle_t *conn; + int ldap_errno; + + char const *url; + char const **attrs; + + url = fmt; + + if (!ldap_is_ldap_url(url)) { + REDEBUG("String passed does not look like an LDAP URL"); + return -1; + } + + if (ldap_url_parse(url, &ldap_url)){ + REDEBUG("Parsing LDAP URL failed"); + return -1; + } + + /* + * Nothing, empty string, "*" string, or got 2 things, die. + */ + if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || + !*ldap_url->lud_attrs[0] || + (strcmp(ldap_url->lud_attrs[0], "*") == 0) || + ldap_url->lud_attrs[1]) { + REDEBUG("Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve"); + + goto free_urldesc; + } + + conn = mod_conn_get(inst, request); + if (!conn) goto free_urldesc; + + memcpy(&attrs, &ldap_url->lud_attrs, sizeof(attrs)); + + status = rlm_ldap_search(&result, inst, request, &conn, ldap_url->lud_dn, ldap_url->lud_scope, + ldap_url->lud_filter, attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + default: + goto free_socket; + } + + rad_assert(conn); + rad_assert(result); + + entry = ldap_first_entry(conn->handle, result); + if (!entry) { + ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + len = -1; + goto free_result; + } + + values = ldap_get_values_len(conn->handle, entry, ldap_url->lud_attrs[0]); + if (!values) { + RDEBUG("No \"%s\" attributes found in specified object", ldap_url->lud_attrs[0]); + goto free_result; + } + + if (values[0]->bv_len >= freespace) goto free_values; + + memcpy(out, values[0]->bv_val, values[0]->bv_len + 1); /* +1 as strlcpy expects buffer size */ + len = values[0]->bv_len; + +free_values: + ldap_value_free_len(values); +free_result: + ldap_msgfree(result); +free_socket: + mod_conn_release(inst, conn); +free_urldesc: + ldap_free_urldesc(ldap_url); + + return len; +} + +/** Perform LDAP-Group comparison checking + * + * Attempts to match users to groups using a variety of methods. + * + * @param instance of the rlm_ldap module. + * @param request Current request. + * @param thing Unknown. + * @param check Which group to check for user membership. + * @param check_pairs Unknown. + * @param reply_pairs Unknown. + * @return + * - 1 on failure (or if the user is not a member). + * - 0 on success. + */ +static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check, + UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs) +{ + rlm_ldap_t *inst = instance; + rlm_rcode_t rcode; + + bool found = false; + bool check_is_dn; + + ldap_handle_t *conn = NULL; + char const *user_dn; + + rad_assert(inst->groupobj_base_dn); + + RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue); + + if (check->vp_length == 0) { + REDEBUG("Cannot do comparison (group name is empty)"); + return 1; + } + + /* + * Check if we can do cached membership verification + */ + check_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length); + if (check_is_dn) { + char *norm; + + MEM(norm = talloc_memdup(check, check->vp_strvalue, talloc_array_length(check->vp_strvalue))); + rlm_ldap_normalise_dn(norm, check->vp_strvalue); + fr_pair_value_strsteal(check, norm); + } + if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) { + switch (rlm_ldap_check_cached(inst, request, check)) { + case RLM_MODULE_NOTFOUND: + found = false; + goto finish; + + case RLM_MODULE_OK: + found = true; + goto finish; + /* + * Fallback to dynamic search on failure + */ + case RLM_MODULE_FAIL: + case RLM_MODULE_INVALID: + default: + break; + } + } + + conn = mod_conn_get(inst, request); + if (!conn) return 1; + + /* + * This is used in the default membership filter. + */ + user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode); + if (!user_dn) { + mod_conn_release(inst, conn); + return 1; + } + + rad_assert(conn); + + /* + * Check groupobj user membership + */ + if (inst->groupobj_membership_filter) { + switch (rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) { + case RLM_MODULE_NOTFOUND: + break; + + case RLM_MODULE_OK: + found = true; + + default: + goto finish; + } + } + + rad_assert(conn); + + /* + * Check userobj group membership + */ + if (inst->userobj_membership_attr) { + switch (rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) { + case RLM_MODULE_NOTFOUND: + break; + + case RLM_MODULE_OK: + found = true; + + default: + goto finish; + } + } + + rad_assert(conn); + +finish: + if (conn) mod_conn_release(inst, conn); + + if (!found) { + RDEBUG("User is not a member of \"%s\"", check->vp_strvalue); + + return 1; + } + + return 0; +} + +/** Detach from the LDAP server and cleanup internal state. + * + */ +static int mod_detach(void *instance) +{ + rlm_ldap_t *inst = instance; + + fr_connection_pool_free(inst->pool); + + if (inst->user_map) { + talloc_free(inst->user_map); + } + + /* + * Keeping the dummy ld around for the lifetime + * of the module should always work, + * irrespective of what changes happen in libldap. + */ + if (inst->handle) { +#ifdef HAVE_LDAP_UNBIND_EXT_S + ldap_unbind_ext_s(inst->handle, NULL, NULL); +#else + ldap_unbind_s(inst->handle); +#endif + } + +#ifdef HAVE_LDAP_CREATE_SORT_CONTROL + if (inst->userobj_sort_ctrl) ldap_control_free(inst->userobj_sort_ctrl); +#endif + + return 0; +} + +/** Parse an accounting sub section. + * + * Allocate a new ldap_acct_section_t and write the config data into it. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] parent of the config section. + * @param[out] config to write the sub section parameters to. + * @param[in] comp The section name were parsing the config for. + * @return + * - 0 on success. + * - < 0 on failure. + */ +static int parse_sub_section(rlm_ldap_t *inst, CONF_SECTION *parent, ldap_acct_section_t **config, + rlm_components_t comp) +{ + CONF_SECTION *cs; + + char const *name = section_type_value[comp].section; + + cs = cf_section_sub_find(parent, name); + if (!cs) { + DEBUG2("rlm_ldap (%s): Couldn't find configuration for %s, will return NOOP for calls " + "from this section", inst->name, name); + + return 0; + } + + *config = talloc_zero(inst, ldap_acct_section_t); + if (cf_section_parse(cs, *config, acct_section_config) < 0) { + LDAP_ERR("Failed parsing configuration for section %s", name); + + return -1; + } + + (*config)->cs = cs; + + return 0; +} + +/** Bootstrap the module + * + * Define attributes. + * + * @param conf to parse. + * @param instance configuration data. + * @return + * - 0 on success. + * - < 0 on failure. + */ +static int mod_bootstrap(CONF_SECTION *conf, void *instance) +{ + rlm_ldap_t *inst = instance; + + inst->name = cf_section_name2(conf); + if (!inst->name) { + inst->name = cf_section_name1(conf); + } + + /* + * Group comparison checks. + */ + if (cf_section_name2(conf)) { + char buffer[256]; + + snprintf(buffer, sizeof(buffer), "%s-LDAP-Group", inst->name); + + if (paircompare_register_byname(buffer, dict_attrbyvalue(PW_USER_NAME, 0), false, rlm_ldap_groupcmp, inst) < 0) { + LDAP_ERR("Error registering group comparison: %s", fr_strerror()); + goto error; + } + + inst->group_da = dict_attrbyname(buffer); + + /* + * We're the default instance + */ + } else { + if (paircompare_register_byname("LDAP-Group", dict_attrbyvalue(PW_USER_NAME, 0), + false, rlm_ldap_groupcmp, inst) < 0) { + LDAP_ERR("Error registering group comparison: %s", fr_strerror()); + goto error; + } + + inst->group_da = dict_attrbyname("LDAP-Group"); + } + + /* + * Setup the cache attribute + */ + if (inst->cache_attribute) { + ATTR_FLAGS flags; + + memset(&flags, 0, sizeof(flags)); + if (dict_addattr(inst->cache_attribute, -1, 0, PW_TYPE_STRING, flags) < 0) { + LDAP_ERR("Error creating cache attribute: %s", fr_strerror()); + error: + return -1; + + } + inst->cache_da = dict_attrbyname(inst->cache_attribute); + } else { + inst->cache_da = inst->group_da; /* Default to the group_da */ + } + + if (!inst->user_dn || !*inst->user_dn) { + inst->user_dn = talloc_strdup(inst, "LDAP-UserDn"); + } + + /* + * Check or create the LDAP-UserDn attribute. + */ + if (inst->user_dn) { + ATTR_FLAGS flags; + + memset(&flags, 0, sizeof(flags)); + if (dict_addattr(inst->user_dn, -1, 0, PW_TYPE_STRING, flags) < 0) { + LDAP_ERR("Error creating %s attribute: %s", inst->user_dn, fr_strerror()); + return -1; + } + inst->user_dn_da = dict_attrbyname(inst->user_dn); + } + + xlat_register(inst->name, ldap_xlat, rlm_ldap_escape_func, inst); + xlat_register("ldapquote", ldapquote_xlat, NULL, inst); + + return 0; +} + + +/** Instantiate the module + * + * Creates a new instance of the module reading parameters from a configuration section. + * + * @param conf to parse. + * @param instance configuration data. + * @return + * - 0 on success. + * - < 0 on failure. + */ +static int mod_instantiate(CONF_SECTION *conf, void *instance) +{ + static bool version_done; + + CONF_PAIR *cp; + CONF_ITEM *ci; + + CONF_SECTION *options, *update; + rlm_ldap_t *inst = instance; + + inst->cs = conf; + + options = cf_section_sub_find(conf, "options"); + if (!options || !cf_pair_find(options, "chase_referrals")) { + inst->chase_referrals_unset = true; /* use OpenLDAP defaults */ + } + + /* + * Only needs to be done once, prevents races in environment + * initialisation within libldap. + * + * See: https://github.com/arr2036/ldapperf/issues/2 + */ +#ifdef HAVE_LDAP_INITIALIZE + ldap_initialize(&inst->handle, ""); +#else + inst->handle = ldap_init("", 0); +#endif + + /* + * Get version info from the LDAP API. + */ + if (!version_done) { + static LDAPAPIInfo info = { .ldapai_info_version = LDAP_API_INFO_VERSION }; /* static to quiet valgrind about this being uninitialised */ + int ldap_errno; + + version_done = true; + + ldap_errno = ldap_get_option(NULL, LDAP_OPT_API_INFO, &info); + if (ldap_errno == LDAP_OPT_SUCCESS) { + int i; + + /* + * Don't generate warnings if the compile type vendor name + * is found within the link time vendor name. + * + * This allows the server to be built against OpenLDAP but + * run with Symas OpenLDAP. + */ + if (strcasestr(info.ldapai_vendor_name, LDAP_VENDOR_NAME) == NULL) { + WARN("rlm_ldap: libldap vendor changed since the server was built"); + WARN("rlm_ldap: linked: %s, built: %s", info.ldapai_vendor_name, LDAP_VENDOR_NAME); + } + + if (info.ldapai_vendor_version < LDAP_VENDOR_VERSION) { + WARN("rlm_ldap: libldap older than the version the server was built against"); + WARN("rlm_ldap: linked: %i, built: %i", + info.ldapai_vendor_version, LDAP_VENDOR_VERSION); + } + + INFO("rlm_ldap: libldap vendor: %s, version: %i", info.ldapai_vendor_name, + info.ldapai_vendor_version); + + if (info.ldapai_extensions != NULL ) { + for ( i = 0; info.ldapai_extensions[i] != NULL; i++) { + ldap_memfree(info.ldapai_extensions[i]); + } + ldap_memfree(info.ldapai_extensions); + } + ldap_memfree(info.ldapai_vendor_name); + } else { + DEBUG("rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO " + "returned: %i", ldap_errno); + INFO("rlm_ldap: libldap vendor: %s, version: %i.%i.%i", LDAP_VENDOR_NAME, + LDAP_VENDOR_VERSION_MAJOR, LDAP_VENDOR_VERSION_MINOR, LDAP_VENDOR_VERSION_PATCH); + } + } + + /* + * If the configuration parameters can't be parsed, then fail. + */ + if ((parse_sub_section(inst, conf, &inst->accounting, MOD_ACCOUNTING) < 0) || + (parse_sub_section(inst, conf, &inst->postauth, MOD_POST_AUTH) < 0)) { + cf_log_err_cs(conf, "Failed parsing configuration"); + + goto error; + } + + /* + * Sanity checks for cacheable groups code. + */ + if (inst->cacheable_group_name && inst->groupobj_membership_filter) { + if (!inst->groupobj_name_attr) { + cf_log_err_cs(conf, "Configuration item 'group.name_attribute' must be set if cacheable " + "group names are enabled"); + + goto error; + } + } + + /* + * If we have a *pair* as opposed to a *section* + * then the module is referencing another ldap module's + * connection pool. + */ + if (!cf_pair_find(conf, "pool")) { + if (!inst->config_server) { + cf_log_err_cs(conf, "Configuration item 'server' must have a value"); + goto error; + } + } + +#ifndef WITH_SASL + if (inst->user_sasl.mech) { + cf_log_err_cs(conf, "Configuration item 'user.sasl.mech' not supported. " + "Linked libldap does not provide ldap_sasl_bind function"); + goto error; + } + + if (inst->admin_sasl.mech) { + cf_log_err_cs(conf, "Configuration item 'sasl.mech' not supported. " + "Linked libldap does not provide ldap_sasl_interactive_bind function"); + goto error; + } +#endif + +#ifndef HAVE_LDAP_CREATE_SORT_CONTROL + if (inst->userobj_sort_by) { + cf_log_err_cs(conf, "Configuration item 'sort_by' not supported. " + "Linked libldap does not provide ldap_create_sort_control function"); + goto error; + } +#endif + + /* + * For backwards compatibility hack up the first 'server' + * CONF_ITEM into chunks, and add them back into the config. + * + * @fixme this should be removed at some point. + */ + if (inst->config_server) { + char const *value; + char const *p; + char const *q; + char *buff; + + bool done = false; + bool first = true; + + cp = cf_pair_find(conf, "server"); + if (!cp) { + cf_log_err_cs(conf, "Configuration item 'server' must have a value"); + return -1; + } + + value = cf_pair_value(cp); + + p = value; + q = p; + while (!done) { + switch (*q) { + case '\0': + done = true; + if (p == value) break; /* string contained no separators */ + + /* FALL-THROUGH */ + + case ',': + case ';': + case ' ': + while (isspace((int) *p)) p++; + if (p == q) continue; + + buff = talloc_array(inst, char, (q - p) + 1); + strlcpy(buff, p, talloc_array_length(buff)); + p = ++q; + + if (first) { + WARN("Listing multiple LDAP servers in the 'server' configuration item " + "is deprecated and will be removed in a future release. " + "Use multiple 'server' configuration items instead"); + WARN("- server = '%s'", value); + } + WARN("+ server = '%s'", buff); + + /* + * For the first instance of server we find, just replace + * the existing "server" config item. + */ + if (first) { + cf_pair_replace(conf, cp, buff); + first = false; + continue; + } + + /* + * For subsequent instances we need to add new conf pairs. + */ + cp = cf_pair_alloc(conf, "server", buff, T_OP_EQ, T_BARE_WORD, T_SINGLE_QUOTED_STRING); + if (!cp) return -1; + + ci = cf_pair_to_item(cp); + cf_item_add(conf, ci); + + break; + + default: + q++; + continue; + } + } + } + + /* + * Now iterate over all the 'server' config items + */ + if (!inst->server) inst->server = talloc_strdup(inst, ""); + for (cp = cf_pair_find(conf, "server"); + cp; + cp = cf_pair_find_next(conf, cp, "server")) { + char const *value; + + value = cf_pair_value(cp); + +#ifdef LDAP_CAN_PARSE_URLS + /* + * Split original server value out into URI, server and port + * so whatever initialization function we use later will have + * the server information in the format it needs. + */ + if (ldap_is_ldap_url(value)) { + LDAPURLDesc *ldap_url; + bool set_port_maybe = true; + int default_port = LDAP_PORT; + char *p; + + if (ldap_url_parse(value, &ldap_url)){ + cf_log_err_cs(conf, "Parsing LDAP URL \"%s\" failed", value); + ldap_url_error: + ldap_free_urldesc(ldap_url); + return -1; + } + + if (ldap_url->lud_dn && (ldap_url->lud_dn[0] != '\0')) { + cf_log_err_cs(conf, "Base DN cannot be specified via server URL"); + goto ldap_url_error; + } + + if (ldap_url->lud_attrs && ldap_url->lud_attrs[0]) { + cf_log_err_cs(conf, "Attribute list cannot be specified via server URL"); + goto ldap_url_error; + } + + /* + * ldap_url_parse sets this to base by default. + */ + if (ldap_url->lud_scope != LDAP_SCOPE_BASE) { + cf_log_err_cs(conf, "Scope cannot be specified via server URL"); + goto ldap_url_error; + } + ldap_url->lud_scope = -1; /* Otherwise LDAP adds ?base */ + + /* + * The public ldap_url_parse function sets the default + * port, so we have to discover whether a port was + * included ourselves. + */ + if ((p = strchr(value, ']')) && (p[1] == ':')) { /* IPv6 */ + set_port_maybe = false; + } else if ((p = strchr(value, ':')) && (strchr(p + 1, ':') != NULL)) { /* IPv4 */ + set_port_maybe = false; + } + + /* We allow extensions */ + +# ifdef HAVE_LDAP_INITIALIZE + { + char *url; + + /* + * Figure out the default port from the URL + */ + if (ldap_url->lud_scheme) { + if (strcmp(ldap_url->lud_scheme, "ldaps") == 0) { + if (inst->start_tls == true) { + cf_log_err_cs(conf, "ldaps:// scheme is not compatible " + "with 'start_tls'"); + goto ldap_url_error; + } + default_port = LDAPS_PORT; + + } else if (strcmp(ldap_url->lud_scheme, "ldapi") == 0) { + set_port_maybe = false; /* Unix socket, no port */ + } + } + + if (set_port_maybe) { + /* + * URL port overrides configured port. + */ + ldap_url->lud_port = inst->port; + + /* + * If there's no URL port, then set it to the default + * this is so debugging messages show explicitly + * the port we're connecting to. + */ + if (!ldap_url->lud_port) ldap_url->lud_port = default_port; + } + + url = ldap_url_desc2str(ldap_url); + if (!url) { + cf_log_err_cs(conf, "Failed recombining URL components"); + goto ldap_url_error; + } + inst->server = talloc_asprintf_append(inst->server, "%s ", url); + free(url); + } +# else + /* + * No LDAP initialize function. Can't specify a scheme. + */ + if (ldap_url->lud_scheme && + ((strcmp(ldap_url->lud_scheme, "ldaps") == 0) || + (strcmp(ldap_url->lud_scheme, "ldapi") == 0) || + (strcmp(ldap_url->lud_scheme, "cldap") == 0))) { + cf_log_err_cs(conf, "%s is not supported by linked libldap", + ldap_url->lud_scheme); + return -1; + } + + /* + * URL port over-rides the configured + * port. But if there's no configured + * port, we use the hard-coded default. + */ + if (set_port_maybe) { + ldap_url->lud_port = inst->port; + if (!ldap_url->lud_port) ldap_url->lud_port = default_port; + } + + inst->server = talloc_asprintf_append(inst->server, "%s:%i ", + ldap_url->lud_host ? ldap_url->lud_host : "localhost", + ldap_url->lud_port); +# endif + /* + * @todo We could set a few other top level + * directives using the URL, like base_dn + * and scope. + */ + ldap_free_urldesc(ldap_url); + /* + * We need to construct an LDAP URI + */ + } else +#endif /* HAVE_LDAP_URL_PARSE && HAVE_LDAP_IS_LDAP_URL && LDAP_URL_DESC2STR */ + /* + * If it's not an URL, or we don't have the functions necessary + * to break apart the URL and recombine it, then just treat + * server as a hostname. + */ + { +#ifdef HAVE_LDAP_INITIALIZE + char const *p; + char *q; + int port = 0; + size_t len; + + port = inst->port; + + /* + * We don't support URLs if the library didn't provide + * URL parsing functions. + */ + if (strchr(value, '/')) { + bad_server_fmt: +#ifdef LDAP_CAN_PARSE_URLS + cf_log_err_cp(cp, "Invalid server value, must be in format <server>[:<port>] or " + "an ldap URI (ldap|cldap|ldaps|ldapi)://<server>:<port>"); +#else + cf_log_err_cp(cp, "Invalid server value, must be in format <server>[:<port>]"); +#endif + return -1; + } + + p = strrchr(value, ':'); + if (p) { + port = (int)strtol((p + 1), &q, 10); + if ((p == value) || ((p + 1) == q) || (*q != '\0')) goto bad_server_fmt; + len = p - value; + } else { + len = strlen(value); + } + if (port == 0) port = LDAP_PORT; + + inst->server = talloc_asprintf_append(inst->server, "ldap://%.*s:%i ", (int) len, value, port); +#else + /* + * ldap_init takes port, which can be overridden by :port so + * we don't need to do any parsing here. + */ + inst->server = talloc_asprintf_append(inst->server, "%s ", value); +#endif + } + } + if (inst->server) inst->server[talloc_array_length(inst->server) - 2] = '\0'; + + DEBUG4("LDAP server string: %s", inst->server); + +#ifdef LDAP_OPT_X_TLS_NEVER + /* + * Workaround for servers which support LDAPS but not START TLS + */ + if (inst->port == LDAPS_PORT || inst->tls_mode) { + inst->tls_mode = LDAP_OPT_X_TLS_HARD; + } else { + inst->tls_mode = 0; + } +#endif + + /* + * Convert dereference strings to enumerated constants + */ + if (inst->dereference_str) { + inst->dereference = fr_str2int(ldap_dereference, inst->dereference_str, -1); + if (inst->dereference < 0) { + cf_log_err_cs(conf, "Invalid 'dereference' value \"%s\", expected 'never', 'searching', " + "'finding' or 'always'", inst->dereference_str); + goto error; + } + } + +#if LDAP_SET_REBIND_PROC_ARGS != 3 + /* + * The 2-argument rebind doesn't take an instance variable. Our rebind function needs the instance + * variable for the username, password, etc. + */ + if (inst->rebind == true) { + cf_log_err_cs(conf, "Cannot use 'rebind' configuration item as this version of libldap " + "does not support the API that we need"); + + goto error; + } +#endif + + /* + * Convert scope strings to enumerated constants + */ + inst->userobj_scope = fr_str2int(ldap_scope, inst->userobj_scope_str, -1); + if (inst->userobj_scope < 0) { + cf_log_err_cs(conf, "Invalid 'user.scope' value \"%s\", expected 'sub', 'one'" +#ifdef LDAP_SCOPE_CHILDREN + ", 'base' or 'children'" +#else + " or 'base'" +#endif + , inst->userobj_scope_str); + goto error; + } + + inst->groupobj_scope = fr_str2int(ldap_scope, inst->groupobj_scope_str, -1); + if (inst->groupobj_scope < 0) { + cf_log_err_cs(conf, "Invalid 'group.scope' value \"%s\", expected 'sub', 'one'" +#ifdef LDAP_SCOPE_CHILDREN + ", 'base' or 'children'" +#else + " or 'base'" +#endif + , inst->groupobj_scope_str); + goto error; + } + + inst->clientobj_scope = fr_str2int(ldap_scope, inst->clientobj_scope_str, -1); + if (inst->clientobj_scope < 0) { + cf_log_err_cs(conf, "Invalid 'client.scope' value \"%s\", expected 'sub', 'one'" +#ifdef LDAP_SCOPE_CHILDREN + ", 'base' or 'children'" +#else + " or 'base'" +#endif + , inst->clientobj_scope_str); + goto error; + } + +#ifdef HAVE_LDAP_CREATE_SORT_CONTROL + /* + * Build the server side sort control for user objects + */ + if (inst->userobj_sort_by) { + LDAPSortKey **keys; + int ret; + char *p; + + memcpy(&p, &inst->userobj_sort_by, sizeof(p)); + + ret = ldap_create_sort_keylist(&keys, p); + if (ret != LDAP_SUCCESS) { + cf_log_err_cs(conf, "Invalid user.sort_by value \"%s\": %s", + inst->userobj_sort_by, ldap_err2string(ret)); + goto error; + } + + /* + * Always set the control as critical, if it's not needed + * the user can comment it out... + */ + ret = ldap_create_sort_control(inst->handle, keys, 1, &inst->userobj_sort_ctrl); + ldap_free_sort_keylist(keys); + if (ret != LDAP_SUCCESS) { + LDAP_ERR("Failed creating server sort control: %s", ldap_err2string(ret)); + goto error; + } + } +#endif + + if (inst->tls_require_cert_str) { +#ifdef LDAP_OPT_X_TLS_NEVER + /* + * Convert cert strictness to enumerated constants + */ + inst->tls_require_cert = fr_str2int(ldap_tls_require_cert, inst->tls_require_cert_str, -1); + if (inst->tls_require_cert < 0) { + cf_log_err_cs(conf, "Invalid 'tls.require_cert' value \"%s\", expected 'never', " + "'demand', 'allow', 'try' or 'hard'", inst->tls_require_cert_str); + goto error; + } +#else + cf_log_err_cs(conf, "Modifying 'tls.require_cert' is not supported by current " + "version of libldap. Please upgrade or substitute current libldap and " + "rebuild this module"); + + goto error; +#endif + } + + if (inst->tls_min_version_str) { +#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN + if (strcmp(inst->tls_min_version_str, "1.2") == 0) { + inst->tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; + + } else if (strcmp(inst->tls_min_version_str, "1.1") == 0) { + inst->tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1; + + } else if (strcmp(inst->tls_min_version_str, "1.0") == 0) { + inst->tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0; + + } else { + cf_log_err_cs(conf, "Invalid 'tls.tls_min_version' value \"%s\"", inst->tls_min_version_str); + goto error; + } +#else + cf_log_err_cs(conf, "This version of libldap does not support tls.tls_min_version." + " Please upgrade or substitute current libldap and " + "rebuild this module"); + goto error; + +#endif + } + + /* + * Build the attribute map + */ + update = cf_section_sub_find(inst->cs, "update"); + if (update && (map_afrom_cs(&inst->user_map, update, + PAIR_LIST_REPLY, PAIR_LIST_REQUEST, rlm_ldap_map_verify, inst, + LDAP_MAX_ATTRMAP) < 0)) { + return -1; + } + + /* + * Set global options + */ + if (rlm_ldap_global_init(inst) < 0) goto error; + + /* + * Initialize the socket pool. + */ + inst->pool = fr_connection_pool_module_init(inst->cs, inst, mod_conn_create, NULL, NULL); + if (!inst->pool) goto error; + + /* + * Bulk load dynamic clients. + */ + if (inst->do_clients) { + CONF_SECTION *cs, *map, *tmpl; + + cs = cf_section_sub_find(inst->cs, "client"); + if (!cs) { + cf_log_err_cs(conf, "Told to load clients but no client section found"); + goto error; + } + + map = cf_section_sub_find(cs, "attribute"); + if (!map) { + cf_log_err_cs(cs, "Told to load clients but no attribute section found"); + goto error; + } + + tmpl = cf_section_sub_find(cs, "template"); + + if (rlm_ldap_client_load(inst, tmpl, map) < 0) { + cf_log_err_cs(cs, "Error loading clients"); + + return -1; + } + } + + return 0; + +error: + return -1; +} + +static rlm_rcode_t mod_authenticate(void *instance, REQUEST *request) CC_HINT(nonnull); +static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request) +{ + rlm_rcode_t rcode; + ldap_rcode_t status; + char const *dn; + rlm_ldap_t *inst = instance; + ldap_handle_t *conn; + + char sasl_mech_buff[LDAP_MAX_DN_STR_LEN]; + char sasl_proxy_buff[LDAP_MAX_DN_STR_LEN]; + char sasl_realm_buff[LDAP_MAX_DN_STR_LEN]; + ldap_sasl sasl; + + /* + * Ensure that we're being passed a plain-text password, and not + * anything else. + */ + + if (!request->username) { + REDEBUG("Attribute \"User-Name\" is required for authentication"); + + return RLM_MODULE_INVALID; + } + + if (!request->password || + (request->password->da->attr != PW_USER_PASSWORD)) { + RWDEBUG("You have set \"Auth-Type := LDAP\" somewhere"); + RWDEBUG("*********************************************"); + RWDEBUG("* THAT CONFIGURATION IS WRONG. DELETE IT. "); + RWDEBUG("* YOU ARE PREVENTING THE SERVER FROM WORKING"); + RWDEBUG("*********************************************"); + + REDEBUG("Attribute \"User-Password\" is required for authentication"); + + return RLM_MODULE_INVALID; + } + + if (request->password->vp_length == 0) { + REDEBUG("Empty password supplied"); + + return RLM_MODULE_INVALID; + } + + conn = mod_conn_get(inst, request); + if (!conn) return RLM_MODULE_FAIL; + + /* + * Expand dynamic SASL fields + */ + if (conn->inst->user_sasl.mech) { + memset(&sasl, 0, sizeof(sasl)); + + if (tmpl_expand(&sasl.mech, sasl_mech_buff, sizeof(sasl_mech_buff), request, + conn->inst->user_sasl.mech, rlm_ldap_escape_func, inst) < 0) { + REDEBUG("Failed expanding user.sasl.mech: %s", fr_strerror()); + rcode = RLM_MODULE_FAIL; + goto finish; + } + + if (conn->inst->user_sasl.proxy) { + if (tmpl_expand(&sasl.proxy, sasl_proxy_buff, sizeof(sasl_proxy_buff), request, + conn->inst->user_sasl.proxy, rlm_ldap_escape_func, inst) < 0) { + REDEBUG("Failed expanding user.sasl.proxy: %s", fr_strerror()); + rcode = RLM_MODULE_FAIL; + goto finish; + } + } + + if (conn->inst->user_sasl.realm) { + if (tmpl_expand(&sasl.realm, sasl_realm_buff, sizeof(sasl_realm_buff), request, + conn->inst->user_sasl.realm, rlm_ldap_escape_func, inst) < 0) { + REDEBUG("Failed expanding user.sasl.realm: %s", fr_strerror()); + rcode = RLM_MODULE_FAIL; + goto finish; + } + } + } + + RDEBUG("Login attempt by \"%s\"", request->username->vp_strvalue); + + /* + * Get the DN by doing a search. + */ + dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode); + if (!dn) { + mod_conn_release(inst, conn); + + return rcode; + } + conn->rebound = true; + status = rlm_ldap_bind(inst, request, &conn, dn, request->password->vp_strvalue, + conn->inst->user_sasl.mech ? &sasl : NULL, true); + switch (status) { + case LDAP_PROC_SUCCESS: + rcode = RLM_MODULE_OK; + RDEBUG("Bind as user \"%s\" was successful", dn); + break; + + case LDAP_PROC_NOT_PERMITTED: + rcode = RLM_MODULE_USERLOCK; + break; + + case LDAP_PROC_REJECT: + rcode = RLM_MODULE_REJECT; + break; + + case LDAP_PROC_BAD_DN: + rcode = RLM_MODULE_INVALID; + break; + + case LDAP_PROC_NO_RESULT: + rcode = RLM_MODULE_NOTFOUND; + break; + + default: + rcode = RLM_MODULE_FAIL; + break; + }; + +finish: + mod_conn_release(inst, conn); + + return rcode; +} + +/** Search for and apply an LDAP profile + * + * LDAP profiles are mapped using the same attribute map as user objects, they're used to add common sets of attributes + * to the request. + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request. + * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. + * @param[in] dn of profile object to apply. + * @param[in] expanded Structure containing a list of xlat expanded attribute names and mapping information. + * @return One of the RLM_MODULE_* values. + */ +static rlm_rcode_t rlm_ldap_map_profile(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, + char const *dn, rlm_ldap_map_exp_t const *expanded) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + LDAPMessage *result = NULL, *entry = NULL; + int ldap_errno; + LDAP *handle = (*pconn)->handle; + char const *filter; + char filter_buff[LDAP_MAX_FILTER_STR_LEN]; + + rad_assert(inst->profile_filter); /* We always have a default filter set */ + + if (!dn || !*dn) return RLM_MODULE_OK; + + if (tmpl_expand(&filter, filter_buff, sizeof(filter_buff), request, + inst->profile_filter, rlm_ldap_escape_func, NULL) < 0) { + REDEBUG("Failed creating profile filter"); + + return RLM_MODULE_INVALID; + } + + status = rlm_ldap_search(&result, inst, request, pconn, dn, + LDAP_SCOPE_BASE, filter, expanded->attrs, NULL, NULL); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_BAD_DN: + case LDAP_PROC_NO_RESULT: + RDEBUG("Profile object \"%s\" not found", dn); + return RLM_MODULE_NOTFOUND; + + default: + return RLM_MODULE_FAIL; + } + + rad_assert(*pconn); + rad_assert(result); + + entry = ldap_first_entry(handle, result); + if (!entry) { + ldap_get_option(handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + rcode = RLM_MODULE_NOTFOUND; + + goto free_result; + } + + RDEBUG("Processing profile attributes"); + if (rlm_ldap_map_do(inst, request, handle, expanded, entry) > 0) rcode = RLM_MODULE_UPDATED; + +free_result: + ldap_msgfree(result); + + return rcode; +} + +static rlm_rcode_t mod_authorize(void *instance, REQUEST *request) CC_HINT(nonnull); +static rlm_rcode_t mod_authorize(void *instance, REQUEST *request) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + int ldap_errno; + int i; + rlm_ldap_t *inst = instance; + struct berval **values; + VALUE_PAIR *vp; + ldap_handle_t *conn; + LDAPMessage *result, *entry; + char const *dn = NULL; + rlm_ldap_map_exp_t expanded; /* faster than mallocing every time */ + + /* + * Don't be tempted to add a check for request->username + * or request->password here. rlm_ldap.authorize can be used for + * many things besides searching for users. + */ + + if (rlm_ldap_map_expand(&expanded, request, inst->user_map) < 0) return RLM_MODULE_FAIL; + + conn = mod_conn_get(inst, request); + if (!conn) return RLM_MODULE_FAIL; + + /* + * Add any additional attributes we need for checking access, memberships, and profiles + */ + if (inst->userobj_access_attr) { + expanded.attrs[expanded.count++] = inst->userobj_access_attr; + } + + if (inst->userobj_membership_attr && (inst->cacheable_group_dn || inst->cacheable_group_name)) { + expanded.attrs[expanded.count++] = inst->userobj_membership_attr; + } + + if (inst->profile_attr) { + expanded.attrs[expanded.count++] = inst->profile_attr; + } + + if (inst->valuepair_attr) { + expanded.attrs[expanded.count++] = inst->valuepair_attr; + } + + expanded.attrs[expanded.count] = NULL; + + dn = rlm_ldap_find_user(inst, request, &conn, expanded.attrs, true, &result, &rcode); + if (!dn) { + goto finish; + } + + entry = ldap_first_entry(conn->handle, result); + if (!entry) { + ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); + REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); + + goto finish; + } + + /* + * Check for access. + */ + if (inst->userobj_access_attr) { + rcode = rlm_ldap_check_access(inst, request, conn, entry); + if (rcode != RLM_MODULE_OK) { + goto finish; + } + } + + /* + * Check if we need to cache group memberships + */ + if (inst->cacheable_group_dn || inst->cacheable_group_name) { + if (inst->userobj_membership_attr) { + rcode = rlm_ldap_cacheable_userobj(inst, request, &conn, entry, inst->userobj_membership_attr); + if (rcode != RLM_MODULE_OK) { + goto finish; + } + } + + rcode = rlm_ldap_cacheable_groupobj(inst, request, &conn); + if (rcode != RLM_MODULE_OK) { + goto finish; + } + } + +#ifdef WITH_EDIR + /* + * We already have a Cleartext-Password. Skip edir. + */ + if (fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) { + goto skip_edir; + } + + /* + * Retrieve Universal Password if we use eDirectory + */ + if (inst->edir) { + int res = 0; + char password[256]; + size_t pass_size = sizeof(password); + + /* + * Retrive universal password + */ + res = nmasldap_get_password(conn->handle, dn, password, &pass_size); + if (res != 0) { + REDEBUG("Failed to retrieve eDirectory password: (%i) %s", res, edir_errstr(res)); + rcode = RLM_MODULE_FAIL; + + goto finish; + } + + /* + * Add Cleartext-Password attribute to the request + */ + vp = radius_pair_create(request, &request->config, PW_CLEARTEXT_PASSWORD, 0); + fr_pair_value_strcpy(vp, password); + vp->vp_length = pass_size; + + if (RDEBUG_ENABLED3) { + RDEBUG3("Added eDirectory password. control:%s += '%s'", vp->da->name, vp->vp_strvalue); + } else { + RDEBUG2("Added eDirectory password"); + } + + if (inst->edir_autz) { + RDEBUG2("Binding as user for eDirectory authorization checks"); + /* + * Bind as the user + */ + conn->rebound = true; + status = rlm_ldap_bind(inst, request, &conn, dn, vp->vp_strvalue, NULL, true); + switch (status) { + case LDAP_PROC_SUCCESS: + rcode = RLM_MODULE_OK; + RDEBUG("Bind as user '%s' was successful", dn); + break; + + case LDAP_PROC_NOT_PERMITTED: + rcode = RLM_MODULE_USERLOCK; + goto finish; + + case LDAP_PROC_REJECT: + rcode = RLM_MODULE_REJECT; + goto finish; + + case LDAP_PROC_BAD_DN: + rcode = RLM_MODULE_INVALID; + goto finish; + + case LDAP_PROC_NO_RESULT: + rcode = RLM_MODULE_NOTFOUND; + goto finish; + + default: + rcode = RLM_MODULE_FAIL; + goto finish; + }; + } + } + +skip_edir: +#endif + + /* + * Apply ONE user profile, or a default user profile. + */ + if (inst->default_profile) { + char const *profile; + char profile_buff[1024]; + + if (tmpl_expand(&profile, profile_buff, sizeof(profile_buff), + request, inst->default_profile, NULL, NULL) < 0) { + REDEBUG("Failed creating default profile string"); + + rcode = RLM_MODULE_INVALID; + goto finish; + } + + switch (rlm_ldap_map_profile(inst, request, &conn, profile, &expanded)) { + case RLM_MODULE_INVALID: + rcode = RLM_MODULE_INVALID; + goto finish; + + case RLM_MODULE_FAIL: + rcode = RLM_MODULE_FAIL; + goto finish; + + case RLM_MODULE_UPDATED: + rcode = RLM_MODULE_UPDATED; + /* FALL-THROUGH */ + default: + break; + } + } + + /* + * Apply a SET of user profiles. + */ + if (inst->profile_attr) { + values = ldap_get_values_len(conn->handle, entry, inst->profile_attr); + if (values != NULL) { + for (i = 0; values[i] != NULL; i++) { + rlm_rcode_t ret; + char *value; + + value = rlm_ldap_berval_to_string(request, values[i]); + ret = rlm_ldap_map_profile(inst, request, &conn, value, &expanded); + talloc_free(value); + if (ret == RLM_MODULE_FAIL) { + ldap_value_free_len(values); + rcode = ret; + goto finish; + } + + } + ldap_value_free_len(values); + } + } + + if (inst->user_map || inst->valuepair_attr) { + RDEBUG("Processing user attributes"); + if (rlm_ldap_map_do(inst, request, conn->handle, &expanded, entry) > 0) rcode = RLM_MODULE_UPDATED; + rlm_ldap_check_reply(inst, request); + } + +finish: + talloc_free(expanded.ctx); + if (result) ldap_msgfree(result); + mod_conn_release(inst, conn); + + return rcode; +} + +/** Modify user's object in LDAP + * + * Process a modifcation map to update a user object in the LDAP directory. + * + * @param inst rlm_ldap instance. + * @param request Current request. + * @param section that holds the map to process. + * @return one of the RLM_MODULE_* values. + */ +static rlm_rcode_t user_modify(rlm_ldap_t *inst, REQUEST *request, ldap_acct_section_t *section) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + ldap_rcode_t status; + + ldap_handle_t *conn = NULL; + + LDAPMod *mod_p[LDAP_MAX_ATTRMAP + 1], mod_s[LDAP_MAX_ATTRMAP]; + LDAPMod **modify = mod_p; + + char *passed[LDAP_MAX_ATTRMAP * 2]; + int i, total = 0, last_pass = 0; + + char *expanded[LDAP_MAX_ATTRMAP]; + int last_exp = 0; + + char const *attr; + char const *value; + + char const *dn; + /* + * Build our set of modifications using the update sections in + * the config. + */ + CONF_ITEM *ci; + CONF_PAIR *cp; + CONF_SECTION *cs; + FR_TOKEN op; + char path[MAX_STRING_LEN]; + + char *p = path; + + rad_assert(section); + + /* + * Locate the update section were going to be using + */ + if (section->reference[0] != '.') { + *p++ = '.'; + } + + if (radius_xlat(p, (sizeof(path) - (p - path)) - 1, request, section->reference, NULL, NULL) < 0) { + goto error; + } + + ci = cf_reference_item(NULL, section->cs, path); + if (!ci) { + goto error; + } + + if (!cf_item_is_section(ci)){ + REDEBUG("Reference must resolve to a section"); + + goto error; + } + + cs = cf_section_sub_find(cf_item_to_section(ci), "update"); + if (!cs) { + REDEBUG("Section must contain 'update' subsection"); + + goto error; + } + + /* + * Iterate over all the pairs, building our mods array + */ + for (ci = cf_item_find_next(cs, NULL); ci != NULL; ci = cf_item_find_next(cs, ci)) { + bool do_xlat = false; + + if (total == LDAP_MAX_ATTRMAP) { + REDEBUG("Modify map size exceeded"); + + goto error; + } + + if (!cf_item_is_pair(ci)) { + REDEBUG("Entry is not in \"ldap-attribute = value\" format"); + + goto error; + } + + /* + * Retrieve all the information we need about the pair + */ + cp = cf_item_to_pair(ci); + value = cf_pair_value(cp); + attr = cf_pair_attr(cp); + op = cf_pair_operator(cp); + + if (!value || (*value == '\0')) { + RDEBUG("Empty value string, skipping attribute \"%s\"", attr); + + continue; + } + + switch (cf_pair_value_type(cp)) { + case T_BARE_WORD: + case T_SINGLE_QUOTED_STRING: + break; + + case T_BACK_QUOTED_STRING: + case T_DOUBLE_QUOTED_STRING: + do_xlat = true; + break; + + default: + rad_assert(0); + goto error; + } + + if (op == T_OP_CMP_FALSE) { + passed[last_pass] = NULL; + } else if (do_xlat) { + char *exp = NULL; + + if (radius_axlat(&exp, request, value, NULL, NULL) <= 0) { + RDEBUG("Skipping attribute \"%s\"", attr); + + talloc_free(exp); + + continue; + } + + expanded[last_exp++] = exp; + passed[last_pass] = exp; + /* + * Static strings + */ + } else { + memcpy(&(passed[last_pass]), &value, sizeof(passed[last_pass])); + } + + passed[last_pass + 1] = NULL; + + mod_s[total].mod_values = &(passed[last_pass]); + + last_pass += 2; + + switch (op) { + /* + * T_OP_EQ is *NOT* supported, it is impossible to + * support because of the lack of transactions in LDAP + */ + case T_OP_ADD: + mod_s[total].mod_op = LDAP_MOD_ADD; + break; + + case T_OP_SET: + mod_s[total].mod_op = LDAP_MOD_REPLACE; + break; + + case T_OP_SUB: + case T_OP_CMP_FALSE: + mod_s[total].mod_op = LDAP_MOD_DELETE; + break; + +#ifdef LDAP_MOD_INCREMENT + case T_OP_INCRM: + mod_s[total].mod_op = LDAP_MOD_INCREMENT; + break; +#endif + default: + REDEBUG("Operator '%s' is not supported for LDAP modify operations", + fr_int2str(fr_tokens, op, "<INVALID>")); + + goto error; + } + + /* + * Now we know the value is ok, copy the pointers into + * the ldapmod struct. + */ + memcpy(&(mod_s[total].mod_type), &attr, sizeof(mod_s[total].mod_type)); + + mod_p[total] = &(mod_s[total]); + total++; + } + + if (total == 0) { + rcode = RLM_MODULE_NOOP; + goto release; + } + + mod_p[total] = NULL; + + conn = mod_conn_get(inst, request); + if (!conn) return RLM_MODULE_FAIL; + + + dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode); + if (!dn || (rcode != RLM_MODULE_OK)) { + goto error; + } + + status = rlm_ldap_modify(inst, request, &conn, dn, modify); + switch (status) { + case LDAP_PROC_SUCCESS: + break; + + case LDAP_PROC_REJECT: + case LDAP_PROC_BAD_DN: + rcode = RLM_MODULE_INVALID; + break; + + default: + rcode = RLM_MODULE_FAIL; + break; + }; + + release: + error: + /* + * Free up any buffers we allocated for xlat expansion + */ + for (i = 0; i < last_exp; i++) { + talloc_free(expanded[i]); + } + + mod_conn_release(inst, conn); + + return rcode; +} + +static rlm_rcode_t mod_accounting(void *instance, REQUEST *request) CC_HINT(nonnull); +static rlm_rcode_t mod_accounting(void *instance, REQUEST *request) +{ + rlm_ldap_t *inst = instance; + + if (inst->accounting) return user_modify(inst, request, inst->accounting); + + return RLM_MODULE_NOOP; +} + +static rlm_rcode_t mod_post_auth(void *instance, REQUEST *request) CC_HINT(nonnull); +static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *request) +{ + rlm_ldap_t *inst = instance; + + if (inst->postauth) { + return user_modify(inst, request, inst->postauth); + } + + return RLM_MODULE_NOOP; +} + + +/* globally exported name */ +extern module_t rlm_ldap; +module_t rlm_ldap = { + .magic = RLM_MODULE_INIT, + .name = "ldap", + .inst_size = sizeof(rlm_ldap_t), + .config = module_config, + .bootstrap = mod_bootstrap, + .instantiate = mod_instantiate, + .detach = mod_detach, + .methods = { + [MOD_AUTHENTICATE] = mod_authenticate, + [MOD_AUTHORIZE] = mod_authorize, + [MOD_ACCOUNTING] = mod_accounting, + [MOD_POST_AUTH] = mod_post_auth + }, +}; diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c new file mode 100644 index 0000000..17a6356 --- /dev/null +++ b/src/modules/rlm_ldap/sasl.c @@ -0,0 +1,194 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#include "ldap.h" + +/** + * $Id$ + * @file sasl.c + * @brief Functions to perform SASL binds against an LDAP directory. + * + * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> + * @copyright 2015 The FreeRADIUS Server Project. + */ +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/rad_assert.h> + +#include <sasl/sasl.h> + +/** Data passed to the _sasl interact callback. + * + */ +typedef struct rlm_ldap_sasl_ctx { + rlm_ldap_t const *inst; //!< LDAP instance + REQUEST *request; //!< The current request. + + char const *identity; //!< User's DN or identity. + char const *password; //!< Bind password. + + ldap_sasl *extra; //!< Extra fields (realm and proxy id). +} rlm_ldap_sasl_ctx_t; + +/** Callback for ldap_sasl_interactive_bind + * + * @param handle used for the SASL bind. + * @param flags data as provided to ldap_sasl_interactive_bind. + * @param ctx Our context data, containing the identity, password, realm and various other things. + * @param sasl_callbacks Array of challenges to provide responses for. + * @return SASL_OK. + */ +static int _sasl_interact(UNUSED LDAP *handle, UNUSED unsigned flags, void *ctx, void *sasl_callbacks) +{ + rlm_ldap_sasl_ctx_t *this = ctx; + REQUEST *request = this->request; + rlm_ldap_t const *inst = this->inst; + sasl_interact_t *cb = sasl_callbacks; + sasl_interact_t *cb_p; + + for (cb_p = cb; cb_p->id != SASL_CB_LIST_END; cb_p++) { + MOD_ROPTIONAL(RDEBUG3, DEBUG3, "SASL challenge : %s", cb_p->challenge); + MOD_ROPTIONAL(RDEBUG3, DEBUG3, "SASL prompt : %s", cb_p->prompt); + + switch (cb_p->id) { + case SASL_CB_AUTHNAME: + cb_p->result = this->identity; + cb_p->len = strlen(this->identity); + break; + + case SASL_CB_PASS: + cb_p->result = this->password; + cb_p->len = strlen(this->password); + break; + + case SASL_CB_USER: + cb_p->result = this->extra->proxy ? this->extra->proxy : this->identity; + cb_p->len = this->extra->proxy ? strlen(this->extra->proxy) : strlen(this->identity); + break; + + case SASL_CB_GETREALM: + if (this->extra->realm) { + cb_p->result = this->extra->realm; + cb_p->len = strlen(this->extra->realm); + } + break; + + default: + break; + } + MOD_ROPTIONAL(RDEBUG3, DEBUG3, "SASL result : %s", cb_p->result ? (char const *)cb_p->result : ""); + } + return SASL_OK; +} + +/** Initiate an LDAP interactive bind + * + * @param[in] inst rlm_ldap configuration. + * @param[in] request Current request, this may be NULL, in which case all debug logging is done with radlog. + * @param[in] conn to use. May change as this function calls functions which auto re-connect. + * @param[in] identity of the user. + * @param[in] password of the user. + * @param[in] sasl mechanism to use for bind, and additional parameters. + * @param[out] error message resulting from bind. + * @param[out] extra information about the error. + * @return One of the LDAP_PROC_* (#ldap_rcode_t) values. + */ +ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request, + ldap_handle_t *conn, char const *identity, + char const *password, ldap_sasl *sasl, + char const **error, char **extra) +{ + ldap_rcode_t status; + int ret = 0; + int msgid; + char const *mech; + LDAPMessage *result = NULL; + rlm_ldap_sasl_ctx_t sasl_ctx; /* SASL defaults */ + + /* rlm_ldap_result may not be called */ + if (error) *error = NULL; + if (extra) *extra = NULL; + + sasl_ctx.inst = inst; + sasl_ctx.request = request; + sasl_ctx.identity = identity; + sasl_ctx.password = password; + sasl_ctx.extra = sasl; + + MOD_ROPTIONAL(RDEBUG2, DEBUG2, "Starting SASL mech(s): %s", sasl->mech); + for (;;) { + ret = ldap_sasl_interactive_bind(conn->handle, NULL, sasl->mech, + NULL, NULL, LDAP_SASL_AUTOMATIC, + _sasl_interact, &sasl_ctx, result, + &mech, &msgid); + + /* + * If ldap_sasl_interactive_bind indicates it didn't want + * to continue, then we're done. + * + * Calling ldap_result here, results in a timeout in some + * cases, so we need to figure out whether the bind was + * successful without the help of ldap_result. + */ + if (ret != LDAP_SASL_BIND_IN_PROGRESS) { + status = rlm_ldap_result(inst, conn, -1, identity, NULL, error, extra); + break; /* Old result gets freed on after exit */ + } + + ldap_msgfree(result); /* We always need to free the old message */ + + /* + * If LDAP parse result indicates there was an error + * then we're done. + */ + status = rlm_ldap_result(inst, conn, msgid, identity, &result, error, extra); + switch (status) { + case LDAP_PROC_SUCCESS: /* ldap_sasl_interactive_bind should have indicated success */ + case LDAP_PROC_CONTINUE: + break; + + default: + goto done; + } + + /* + * ...otherwise, the bind is still in progress. + */ + MOD_ROPTIONAL(RDEBUG3, DEBUG3, "Continuing SASL mech %s...", mech); + + /* + * Write the servers response to the debug log + */ + if (((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) && result) { + struct berval *srv_cred; + + if ((ldap_parse_sasl_bind_result(conn->handle, result, &srv_cred, 0) == LDAP_SUCCESS) && + (srv_cred != NULL)) { + char *escaped; + + escaped = fr_aprints(request, srv_cred->bv_val, srv_cred->bv_len, '\0'); + MOD_ROPTIONAL(RDEBUG3, DEBUG3, "SASL response : %s", escaped); + + talloc_free(escaped); + ber_bvfree(srv_cred); + } + } + } +done: + ldap_msgfree(result); + + return status; +} |