/*++ /* NAME /* dict_ldap 3 /* SUMMARY /* dictionary manager interface to LDAP maps /* SYNOPSIS /* #include <dict_ldap.h> /* /* DICT *dict_ldap_open(attribute, dummy, dict_flags) /* const char *ldapsource; /* int dummy; /* int dict_flags; /* DESCRIPTION /* dict_ldap_open() makes LDAP user information accessible via /* the generic dictionary operations described in dict_open(3). /* /* Arguments: /* .IP ldapsource /* Either the path to the LDAP configuration file (if it starts /* with '/' or '.'), or the prefix which will be used to obtain /* configuration parameters for this search. /* /* In the first case, the configuration variables below are /* specified in the file as \fBname\fR=\fBvalue\fR pairs. /* /* In the second case, the configuration variables are prefixed /* with the value of \fIldapsource\fR and an underscore, /* and they are specified in main.cf. For example, if this /* value is \fBldapone\fR, the variables would look like /* \fBldapone_server_host\fR, \fBldapone_search_base\fR, and so on. /* .IP dummy /* Not used; this argument exists only for compatibility with /* the dict_open(3) interface. /* .PP /* Configuration parameters: /* .IP server_host /* List of hosts at which all LDAP queries are directed. /* The host names can also be LDAP URLs if the LDAP client library used /* is OpenLDAP. /* .IP server_port /* The port the LDAP server listens on. /* .IP search_base /* The LDAP search base, for example: \fIO=organization name, C=country\fR. /* .IP domain /* If specified, only lookups ending in this value will be queried. /* This can significantly reduce the query load on the LDAP server. /* .IP timeout /* Deadline for LDAP open() and LDAP search() . /* .IP query_filter /* The search filter template used to search for directory entries, /* for example \fI(mailacceptinggeneralid=%s)\fR. See ldap_table(5) /* for details. /* .IP result_format /* The result template used to expand results from queries. Default /* is \fI%s\fR. See ldap_table(5) for details. Also supported under /* the name \fIresult_filter\fR for compatibility with older releases. /* .IP result_attribute /* The attribute(s) returned by the search, in which to find /* RFC822 addresses, for example \fImaildrop\fR. /* .IP special_result_attribute /* The attribute(s) of directory entries that can contain DNs or URLs. /* If found, a recursive subsequent search is done using their values. /* .IP leaf_result_attribute /* These are only returned for "leaf" LDAP entries, i.e. those that are /* not "terminal" and have no values for any of the "special" result /* attributes. /* .IP terminal_result_attribute /* If found, the LDAP entry is considered a terminal LDAP object, not /* subject to further direct or recursive expansion. Only the terminal /* result attributes are returned. /* .IP scope /* LDAP search scope: sub, base, or one. /* .IP bind /* Whether or not to bind to the server -- LDAP v3 implementations don't /* require it, which saves some overhead. /* .IP bind_dn /* If you must bind to the server, do it with this distinguished name ... /* .IP bind_pw /* \&... and this password. /* .IP cache (no longer supported) /* Whether or not to turn on client-side caching. /* .IP cache_expiry (no longer supported) /* If you do cache results, expire them after this many seconds. /* .IP cache_size (no longer supported) /* The cache size in bytes. Does nothing if the cache is off, of course. /* .IP recursion_limit /* Maximum recursion depth when expanding DN or URL references. /* Queries which exceed the recursion limit fail with /* dict->error = DICT_ERR_RETRY. /* .IP expansion_limit /* Limit (if any) on the total number of lookup result values. Lookups which /* exceed the limit fail with dict->error=DICT_ERR_RETRY. Note that /* each value of a multivalued result attribute counts as one result. /* .IP size_limit /* Limit on the number of entries returned by individual LDAP queries. /* Queries which exceed the limit fail with dict->error=DICT_ERR_RETRY. /* This is an *entry* count, for any single query performed during the /* possibly recursive lookup. /* .IP chase_referrals /* Controls whether LDAP referrals are obeyed. /* .IP dereference /* How to handle LDAP aliases. See ldap.h or ldap_open(3) man page. /* .IP version /* Specifies the LDAP protocol version to use. Default is version /* \fI2\fR. /* .IP "\fBsasl_mechs (empty)\fR" /* Specifies a space-separated list of LDAP SASL Mechanisms. /* .IP "\fBsasl_realm (empty)\fR" /* The realm to use for SASL binds. /* .IP "\fBsasl_authz_id (empty)\fR" /* The SASL Authorization Identity to assert. /* .IP "\fBsasl_minssf (0)\fR" /* The minimum SASL SSF to allow. /* .IP start_tls /* Whether or not to issue STARTTLS upon connection to the server. /* At this time, STARTTLS and LDAP SSL are only available if the /* LDAP client library used is OpenLDAP. Default is \fIno\fR. /* .IP tls_ca_cert_file /* File containing certificates for all of the X509 Certification /* Authorities the client will recognize. Takes precedence over /* tls_ca_cert_dir. /* .IP tls_ca_cert_dir /* Directory containing X509 Certification Authority certificates /* in separate individual files. /* .IP tls_cert /* File containing client's X509 certificate. /* .IP tls_key /* File containing the private key corresponding to /* tls_cert. /* .IP tls_require_cert /* Whether or not to request server's X509 certificate and check its /* validity. The value "no" means don't check the cert trust chain /* and (OpenLDAP 2.1+) don't check the peername. The value "yes" means /* check both the trust chain and the peername (with OpenLDAP <= 2.0.11, /* the peername checks use the reverse hostname from the LDAP servers's /* IP address, not the user supplied servername). /* .IP tls_random_file /* Path of a file to obtain random bits from when /dev/[u]random is /* not available. Generally set to the name of the EGD/PRNGD socket. /* .IP tls_cipher_suite /* Cipher suite to use in SSL/TLS negotiations. /* .IP debuglevel /* Debug level. See 'loglevel' option in slapd.conf(5) man page. /* Currently only in openldap libraries (and derivatives). /* SEE ALSO /* dict(3) generic dictionary manager /* AUTHOR(S) /* Prabhat K Singh /* VSNL, Bombay, India. /* prabhat@giasbm01.vsnl.net.in /* /* Wietse Venema /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA /* /* Wietse Venema /* Google, Inc. /* 111 8th Avenue /* New York, NY 10011, USA /* /* John Hensley /* john@sunislelodge.com /* /* Current maintainers: /* /* LaMont Jones /* lamont@debian.org /* /* Victor Duchovni /* Morgan Stanley /* New York, USA /* /* Liviu Daia /* Institute of Mathematics of the Romanian Academy /* P.O. BOX 1-764 /* RO-014700 Bucharest, ROMANIA /*--*/ /* System library. */ #include "sys_defs.h" #ifdef HAS_LDAP #include <sys/time.h> #include <stdio.h> #include <signal.h> #include <setjmp.h> #include <stdlib.h> #include <lber.h> #include <ldap.h> #include <string.h> #include <ctype.h> #include <unistd.h> #ifdef STRCASECMP_IN_STRINGS_H #include <strings.h> #endif /* * Older APIs have weird memory freeing behavior. */ #if !defined(LDAP_API_VERSION) || (LDAP_API_VERSION < 2000) #error "Your LDAP version is too old" #endif /* Handle differences between LDAP SDK's constant definitions */ #ifndef LDAP_CONST #define LDAP_CONST const #endif #ifndef LDAP_OPT_SUCCESS #define LDAP_OPT_SUCCESS 0 #endif /* Utility library. */ #include <msg.h> #include <mymalloc.h> #include <vstring.h> #include <dict.h> #include <stringops.h> #include <binhash.h> #include <name_code.h> /* Global library. */ #include "cfg_parser.h" #include "db_common.h" #include "mail_conf.h" #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) /* * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine. */ #include <sasl.h> #endif /* Application-specific. */ #include "dict_ldap.h" #define DICT_LDAP_BIND_NONE 0 #define DICT_LDAP_BIND_SIMPLE 1 #define DICT_LDAP_BIND_SASL 2 #define DICT_LDAP_DO_BIND(d) ((d)->bind != DICT_LDAP_BIND_NONE) #define DICT_LDAP_DO_SASL(d) ((d)->bind == DICT_LDAP_BIND_SASL) static const NAME_CODE bindopt_table[] = { CONFIG_BOOL_NO, DICT_LDAP_BIND_NONE, "none", DICT_LDAP_BIND_NONE, CONFIG_BOOL_YES, DICT_LDAP_BIND_SIMPLE, "simple", DICT_LDAP_BIND_SIMPLE, #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) "sasl", DICT_LDAP_BIND_SASL, #endif #endif 0, -1, }; typedef struct { LDAP *conn_ld; int conn_refcount; } LDAP_CONN; /* * Structure containing all the configuration parameters for a given * LDAP source, plus its connection handle. */ typedef struct { DICT dict; /* generic member */ CFG_PARSER *parser; /* common parameter parser */ char *query; /* db_common_expand() query */ char *result_format; /* db_common_expand() result_format */ void *ctx; /* db_common_parse() context */ int dynamic_base; /* Search base has substitutions? */ int expansion_limit; char *server_host; int server_port; int scope; char *search_base; ARGV *result_attributes; int num_terminal; /* Number of terminal attributes. */ int num_leaf; /* Number of leaf attributes */ int num_attributes; /* Combined # of non-special attrs */ int bind; char *bind_dn; char *bind_pw; int timeout; int dereference; long recursion_limit; long size_limit; int chase_referrals; int debuglevel; int version; #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) int sasl; char *sasl_mechs; char *sasl_realm; char *sasl_authz; int sasl_minssf; #endif int ldap_ssl; int start_tls; int tls_require_cert; char *tls_ca_cert_file; char *tls_ca_cert_dir; char *tls_cert; char *tls_key; char *tls_random_file; char *tls_cipher_suite; #endif BINHASH_INFO *ht; /* hash entry for LDAP connection */ LDAP *ld; /* duplicated from conn->conn_ld */ } DICT_LDAP; #define DICT_LDAP_CONN(d) ((LDAP_CONN *)((d)->ht->value)) #define DICT_LDAP_UNBIND_RETURN(__ld, __err, __ret) do { \ dict_ldap_unbind(__ld); \ (__ld) = 0; \ dict_ldap->dict.error = (__err); \ return ((__ret)); \ } while (0) /* * Bitrot: LDAP_API 3000 and up (OpenLDAP 2.2.x) deprecated ldap_unbind() */ #if LDAP_API_VERSION >= 3000 #define dict_ldap_unbind(ld) ldap_unbind_ext((ld), 0, 0) #define dict_ldap_abandon(ld, msg) ldap_abandon_ext((ld), (msg), 0, 0) #else #define dict_ldap_unbind(ld) ldap_unbind(ld) #define dict_ldap_abandon(ld, msg) ldap_abandon((ld), (msg)) #endif static int dict_ldap_vendor_version(void) { const char *myname = "dict_ldap_api_info"; LDAPAPIInfo api; /* * We tell the library our version, and it tells us its version and/or * may return an error code if the versions are not the same. */ api.ldapai_info_version = LDAP_API_INFO_VERSION; if (ldap_get_option(0, LDAP_OPT_API_INFO, &api) != LDAP_SUCCESS || api.ldapai_info_version != LDAP_API_INFO_VERSION) { if (api.ldapai_info_version != LDAP_API_INFO_VERSION) msg_fatal("%s: run-time API_INFO version: %d, compiled with: %d", myname, api.ldapai_info_version, LDAP_API_INFO_VERSION); else msg_fatal("%s: ldap_get_option(API_INFO) failed", myname); } if (strcmp(api.ldapai_vendor_name, LDAP_VENDOR_NAME) != 0) msg_fatal("%s: run-time API vendor: %s, compiled with: %s", myname, api.ldapai_vendor_name, LDAP_VENDOR_NAME); return (api.ldapai_vendor_version); } /* * Quoting rules. */ /* rfc2253_quote - Quote input key for safe inclusion in the search base */ static void rfc2253_quote(DICT *unused, const char *name, VSTRING *result) { const char *sub = name; size_t len; /* * The RFC only requires quoting of a leading or trailing space, but it * is harmless to quote whitespace everywhere. Similarly, we quote all * '#' characters, even though only the leading '#' character requires * quoting per the RFC. */ while (*sub) if ((len = strcspn(sub, " \t\"#+,;<>\\")) > 0) { vstring_strncat(result, sub, len); sub += len; } else vstring_sprintf_append(result, "\\%02X", *((const unsigned char *) sub++)); } /* rfc2254_quote - Quote input key for safe inclusion in the query filter */ static void rfc2254_quote(DICT *unused, const char *name, VSTRING *result) { const char *sub = name; size_t len; /* * If any characters in the supplied address should be escaped per RFC * 2254, do so. Thanks to Keith Stevenson and Wietse. And thanks to * Samuel Tardieu for spotting that wildcard searches were being done in * the first place, which prompted the ill-conceived lookup_wildcards * parameter and then this more comprehensive mechanism. */ while (*sub) if ((len = strcspn(sub, "*()\\")) > 0) { vstring_strncat(result, sub, len); sub += len; } else vstring_sprintf_append(result, "\\%02X", *((const unsigned char *) sub++)); } static BINHASH *conn_hash = 0; #if defined(LDAP_API_FEATURE_X_OPENLDAP) || !defined(LDAP_OPT_NETWORK_TIMEOUT) /* * LDAP connection timeout support. */ static jmp_buf env; static void dict_ldap_timeout(int unused_sig) { longjmp(env, 1); } #endif static void dict_ldap_logprint(LDAP_CONST char *data) { const char *myname = "dict_ldap_debug"; char *buf, *p; buf = mystrdup(data); if (*buf) { p = buf + strlen(buf) - 1; while (p - buf >= 0 && ISSPACE(*p)) *p-- = 0; } msg_info("%s: %s", myname, buf); myfree(buf); } static int dict_ldap_get_errno(LDAP *ld) { int rc; if (ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &rc) != LDAP_OPT_SUCCESS) rc = LDAP_OTHER; return rc; } static int dict_ldap_set_errno(LDAP *ld, int rc) { (void) ldap_set_option(ld, LDAP_OPT_ERROR_NUMBER, &rc); return rc; } #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) /* * Context structure for SASL property callback. */ typedef struct bind_props { char *authcid; char *passwd; char *realm; char *authzid; } bind_props; static int ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter) { sasl_interact_t *in; bind_props *ctx = (bind_props *) props; for (in = inter; in->id != SASL_CB_LIST_END; in++) { in->result = NULL; switch (in->id) { case SASL_CB_GETREALM: in->result = ctx->realm; break; case SASL_CB_AUTHNAME: in->result = ctx->authcid; break; case SASL_CB_USER: in->result = ctx->authzid; break; case SASL_CB_PASS: in->result = ctx->passwd; break; } if (in->result) in->len = strlen(in->result); } return LDAP_SUCCESS; } #endif /* dict_ldap_result - Read and parse LDAP result */ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res) { struct timeval mytimeval; int err; mytimeval.tv_sec = timeout; mytimeval.tv_usec = 0; #define GET_ALL 1 if (ldap_result(ld, msgid, GET_ALL, &mytimeval, res) == -1) return (dict_ldap_get_errno(ld)); if ((err = dict_ldap_get_errno(ld)) != LDAP_SUCCESS) { if (err == LDAP_TIMEOUT) { (void) dict_ldap_abandon(ld, msgid); return (dict_ldap_set_errno(ld, LDAP_TIMEOUT)); } return err; } return LDAP_SUCCESS; } #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) /* Asynchronous SASL auth if SASL is enabled */ static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap) { int rc; bind_props props; static VSTRING *minssf = 0; if (minssf == 0) minssf = vstring_alloc(12); vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf); if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS, (char *) minssf)) != LDAP_OPT_SUCCESS) return (rc); props.authcid = dict_ldap->bind_dn; props.passwd = dict_ldap->bind_pw; props.realm = dict_ldap->sasl_realm; props.authzid = dict_ldap->sasl_authz; if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL, dict_ldap->sasl_mechs, NULL, NULL, LDAP_SASL_QUIET, ldap_b2_interact, &props)) != LDAP_SUCCESS) return (rc); return (LDAP_SUCCESS); } #endif /* dict_ldap_bind_st - Synchronous simple auth with timeout */ static int dict_ldap_bind_st(DICT_LDAP *dict_ldap) { int rc; int err = LDAP_SUCCESS; int msgid; LDAPMessage *res; struct berval cred; cred.bv_val = dict_ldap->bind_pw; cred.bv_len = strlen(cred.bv_val); if ((rc = ldap_sasl_bind(dict_ldap->ld, dict_ldap->bind_dn, LDAP_SASL_SIMPLE, &cred, 0, 0, &msgid)) != LDAP_SUCCESS) return (rc); if ((rc = dict_ldap_result(dict_ldap->ld, msgid, dict_ldap->timeout, &res)) != LDAP_SUCCESS) return (rc); #define FREE_RESULT 1 rc = ldap_parse_result(dict_ldap->ld, res, &err, 0, 0, 0, 0, FREE_RESULT); return (rc == LDAP_SUCCESS ? err : rc); } /* search_st - Synchronous search with timeout */ static int search_st(LDAP *ld, char *base, int scope, char *query, char **attrs, int timeout, LDAPMessage **res) { struct timeval mytimeval; int msgid; int rc; int err; mytimeval.tv_sec = timeout; mytimeval.tv_usec = 0; #define WANTVALS 0 #define USE_SIZE_LIM_OPT -1 /* Any negative value will do */ if ((rc = ldap_search_ext(ld, base, scope, query, attrs, WANTVALS, 0, 0, &mytimeval, USE_SIZE_LIM_OPT, &msgid)) != LDAP_SUCCESS) return rc; if ((rc = dict_ldap_result(ld, msgid, timeout, res)) != LDAP_SUCCESS) return (rc); #define DONT_FREE_RESULT 0 rc = ldap_parse_result(ld, *res, &err, 0, 0, 0, 0, DONT_FREE_RESULT); return (err != LDAP_SUCCESS ? err : rc); } #ifdef LDAP_API_FEATURE_X_OPENLDAP static int dict_ldap_set_tls_options(DICT_LDAP *dict_ldap) { const char *myname = "dict_ldap_set_tls_options"; int rc; #ifdef LDAP_OPT_X_TLS_NEWCTX int am_server = 0; LDAP *ld = dict_ldap->ld; #else LDAP *ld = 0; #endif if (dict_ldap->start_tls || dict_ldap->ldap_ssl) { if (*dict_ldap->tls_random_file) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE, dict_ldap->tls_random_file)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_random_file to %s: %d: %s", myname, dict_ldap->tls_random_file, rc, ldap_err2string(rc)); return (-1); } } if (*dict_ldap->tls_ca_cert_file) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s", myname, dict_ldap->tls_ca_cert_file, rc, ldap_err2string(rc)); return (-1); } } if (*dict_ldap->tls_ca_cert_dir) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s", myname, dict_ldap->tls_ca_cert_dir, rc, ldap_err2string(rc)); return (-1); } } if (*dict_ldap->tls_cert) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, dict_ldap->tls_cert)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_cert to %s: %d: %s", myname, dict_ldap->tls_cert, rc, ldap_err2string(rc)); return (-1); } } if (*dict_ldap->tls_key) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, dict_ldap->tls_key)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_key to %s: %d: %s", myname, dict_ldap->tls_key, rc, ldap_err2string(rc)); return (-1); } } if (*dict_ldap->tls_cipher_suite) { if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s", myname, dict_ldap->tls_cipher_suite, rc, ldap_err2string(rc)); return (-1); } } if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) { msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s", myname, dict_ldap->tls_require_cert, rc, ldap_err2string(rc)); return (-1); } #ifdef LDAP_OPT_X_TLS_NEWCTX if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server)) != LDAP_SUCCESS) { msg_warn("%s: Unable to allocate new TLS context %d: %s", myname, rc, ldap_err2string(rc)); return (-1); } #endif } return (0); } #endif /* Establish a connection to the LDAP server. */ static int dict_ldap_connect(DICT_LDAP *dict_ldap) { const char *myname = "dict_ldap_connect"; int rc = 0; #ifdef LDAP_OPT_NETWORK_TIMEOUT struct timeval mytimeval; #endif #if defined(LDAP_API_FEATURE_X_OPENLDAP) || !defined(LDAP_OPT_NETWORK_TIMEOUT) void (*saved_alarm) (int); #endif #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(LBER_OPT_LOG_PRINT_FN) if (dict_ldap->debuglevel > 0 && ber_set_option(NULL, LBER_OPT_LOG_PRINT_FN, (LDAP_CONST void *) dict_ldap_logprint) != LBER_OPT_SUCCESS) msg_warn("%s: Unable to set ber logprint function.", myname); #if defined(LBER_OPT_DEBUG_LEVEL) if (ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &(dict_ldap->debuglevel)) != LBER_OPT_SUCCESS) msg_warn("%s: Unable to set BER debug level.", myname); #endif if (ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &(dict_ldap->debuglevel)) != LDAP_OPT_SUCCESS) msg_warn("%s: Unable to set LDAP debug level.", myname); #endif dict_ldap->dict.error = 0; if (msg_verbose) msg_info("%s: Connecting to server %s", myname, dict_ldap->server_host); #ifdef LDAP_OPT_NETWORK_TIMEOUT #ifdef LDAP_API_FEATURE_X_OPENLDAP ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host); #else dict_ldap->ld = ldap_init(dict_ldap->server_host, (int) dict_ldap->server_port); #endif if (dict_ldap->ld == NULL) { msg_warn("%s: Unable to init LDAP server %s", myname, dict_ldap->server_host); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } mytimeval.tv_sec = dict_ldap->timeout; mytimeval.tv_usec = 0; if (ldap_set_option(dict_ldap->ld, LDAP_OPT_NETWORK_TIMEOUT, &mytimeval) != LDAP_OPT_SUCCESS) { msg_warn("%s: Unable to set network timeout.", myname); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } #else if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) { msg_warn("%s: Error setting signal handler for open timeout: %m", myname); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } alarm(dict_ldap->timeout); if (setjmp(env) == 0) dict_ldap->ld = ldap_open(dict_ldap->server_host, (int) dict_ldap->server_port); else dict_ldap->ld = 0; alarm(0); if (signal(SIGALRM, saved_alarm) == SIG_ERR) { msg_warn("%s: Error resetting signal handler after open: %m", myname); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } if (dict_ldap->ld == NULL) { msg_warn("%s: Unable to connect to LDAP server %s", myname, dict_ldap->server_host); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } #endif /* * v3 support is needed for referral chasing. Thanks to Sami Haahtinen * for the patch. */ #ifdef LDAP_OPT_PROTOCOL_VERSION if (ldap_set_option(dict_ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &dict_ldap->version) != LDAP_OPT_SUCCESS) { msg_warn("%s: Unable to set LDAP protocol version", myname); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } if (msg_verbose) { if (ldap_get_option(dict_ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &dict_ldap->version) != LDAP_OPT_SUCCESS) msg_warn("%s: Unable to get LDAP protocol version", myname); else msg_info("%s: Actual Protocol version used is %d.", myname, dict_ldap->version); } #endif /* * Limit the number of entries returned by each query. */ if (dict_ldap->size_limit) { if (ldap_set_option(dict_ldap->ld, LDAP_OPT_SIZELIMIT, &dict_ldap->size_limit) != LDAP_OPT_SUCCESS) { msg_warn("%s: %s: Unable to set query result size limit to %ld.", myname, dict_ldap->parser->name, dict_ldap->size_limit); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } } /* * Configure alias dereferencing for this connection. Thanks to Mike * Mattice for this, and to Hery Rakotoarisoa for the v3 update. */ if (ldap_set_option(dict_ldap->ld, LDAP_OPT_DEREF, &(dict_ldap->dereference)) != LDAP_OPT_SUCCESS) msg_warn("%s: Unable to set dereference option.", myname); /* Chase referrals. */ #ifdef LDAP_OPT_REFERRALS if (ldap_set_option(dict_ldap->ld, LDAP_OPT_REFERRALS, dict_ldap->chase_referrals ? LDAP_OPT_ON : LDAP_OPT_OFF) != LDAP_OPT_SUCCESS) { msg_warn("%s: Unable to set Referral chasing.", myname); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } #else if (dict_ldap->chase_referrals) { msg_warn("%s: Unable to set Referral chasing.", myname); } #endif #ifdef LDAP_API_FEATURE_X_OPENLDAP if (dict_ldap_set_tls_options(dict_ldap) != 0) DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); if (dict_ldap->start_tls) { if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) { msg_warn("%s: Error setting signal handler for STARTTLS timeout: %m", myname); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } alarm(dict_ldap->timeout); if (setjmp(env) == 0) rc = ldap_start_tls_s(dict_ldap->ld, NULL, NULL); else { rc = LDAP_TIMEOUT; dict_ldap->ld = 0; /* Unknown state after * longjmp() */ } alarm(0); if (signal(SIGALRM, saved_alarm) == SIG_ERR) { msg_warn("%s: Error resetting signal handler after STARTTLS: %m", myname); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } if (rc != LDAP_SUCCESS) { msg_error("%s: Unable to set STARTTLS: %d: %s", myname, rc, ldap_err2string(rc)); dict_ldap->dict.error = DICT_ERR_RETRY; return (-1); } } #endif #define DN_LOG_VAL(dict_ldap) \ ((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit") /* * If this server requires a bind, do so. Thanks to Sam Tardieu for * noticing that the original bind call was broken. */ if (DICT_LDAP_DO_BIND(dict_ldap)) { if (msg_verbose) msg_info("%s: Binding to server %s with dn %s", myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap)); #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) if (DICT_LDAP_DO_SASL(dict_ldap)) { rc = dict_ldap_bind_sasl(dict_ldap); } else { rc = dict_ldap_bind_st(dict_ldap); } #else rc = dict_ldap_bind_st(dict_ldap); #endif if (rc != LDAP_SUCCESS) { msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)", myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap), rc, ldap_err2string(rc)); DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1); } if (msg_verbose) msg_info("%s: Successful bind to server %s with dn %s", myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap)); } /* Save connection handle in shared container */ DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld; if (msg_verbose) msg_info("%s: Cached connection handle for LDAP source %s", myname, dict_ldap->parser->name); return (0); } /* * Locate or allocate connection cache entry. */ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap) { VSTRING *keybuf = vstring_alloc(10); char *key; int len; #ifdef LDAP_API_FEATURE_X_OPENLDAP int sslon = dict_ldap->start_tls || dict_ldap->ldap_ssl; #endif LDAP_CONN *conn; /* * Join key fields with null characters. */ #define ADDSTR(vp, s) vstring_memcat((vp), (s), strlen((s))+1) #define ADDINT(vp, i) vstring_sprintf_append((vp), "%lu%c", (unsigned long)(i), 0) ADDSTR(keybuf, dict_ldap->server_host); ADDINT(keybuf, dict_ldap->server_port); ADDINT(keybuf, dict_ldap->bind); ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : ""); ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : ""); ADDINT(keybuf, dict_ldap->dereference); ADDINT(keybuf, dict_ldap->chase_referrals); ADDINT(keybuf, dict_ldap->debuglevel); ADDINT(keybuf, dict_ldap->version); #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : ""); ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : ""); ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : ""); ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0); #endif ADDINT(keybuf, dict_ldap->ldap_ssl); ADDINT(keybuf, dict_ldap->start_tls); ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0); ADDSTR(keybuf, sslon ? dict_ldap->tls_ca_cert_file : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_ca_cert_dir : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_cert : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_key : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_random_file : ""); ADDSTR(keybuf, sslon ? dict_ldap->tls_cipher_suite : ""); #endif key = vstring_str(keybuf); len = VSTRING_LEN(keybuf); if (conn_hash == 0) conn_hash = binhash_create(0); if ((dict_ldap->ht = binhash_locate(conn_hash, key, len)) == 0) { conn = (LDAP_CONN *) mymalloc(sizeof(LDAP_CONN)); conn->conn_ld = 0; conn->conn_refcount = 0; dict_ldap->ht = binhash_enter(conn_hash, key, len, (void *) conn); } ++DICT_LDAP_CONN(dict_ldap)->conn_refcount; vstring_free(keybuf); } /* attr_sub_type - Is one of two attributes a sub-type of another */ static int attrdesc_subtype(const char *a1, const char *a2) { /* * RFC 2251 section 4.1.4: LDAP attribute names are case insensitive */ while (*a1 && TOLOWER(*a1) == TOLOWER(*a2)) ++a1, ++a2; /* * Names equal to end of a1, is a2 equal or a subtype? */ if (*a1 == 0 && (*a2 == 0 || *a2 == ';')) return (1); /* * Names equal to end of a2, is a1 a subtype? */ if (*a2 == 0 && *a1 == ';') return (-1); /* * Distinct attributes */ return (0); } /* url_attrs - attributes we want from LDAP URL */ static char **url_attrs(DICT_LDAP *dict_ldap, LDAPURLDesc * url) { static ARGV *attrs; char **a1; char **a2; int arel; /* * If the LDAP URI specified no attributes, all entry attributes are * returned, leading to unnecessarily large LDAP results, particularly * since dynamic groups are most useful for large groups. * * Since we only make use of the various mumble_results attributes, we ask * only for these, thus making large queries much faster. * * In one test case, a query returning 75K users took 16 minutes when all * attributes are returned, and just under 3 minutes with only the * desired result attribute. */ if (url->lud_attrs == 0 || *url->lud_attrs == 0) return (dict_ldap->result_attributes->argv); /* * When the LDAP URI explicitly specifies a set of attributes, we use the * interection of the URI attributes and our result attributes. This way * LDAP URIs can hide certain attributes that should not be part of the * query. There is no point in retrieving attributes not listed in our * result set, we won't make any use of those. */ if (attrs) argv_truncate(attrs, 0); else attrs = argv_alloc(2); /* * Retrieve only those attributes that are of interest to us. * * If the URL attribute and the attribute we want differ only in the * "options" part of the attribute descriptor, select the more specific * attribute descriptor. */ for (a1 = url->lud_attrs; *a1; ++a1) { for (a2 = dict_ldap->result_attributes->argv; *a2; ++a2) { arel = attrdesc_subtype(*a1, *a2); if (arel > 0) argv_add(attrs, *a2, ARGV_END); else if (arel < 0) argv_add(attrs, *a1, ARGV_END); } } return ((attrs->argc > 0) ? attrs->argv : 0); } /* * dict_ldap_get_values: for each entry returned by a search, get the values * of all its attributes. Recurses to resolve any DN or URL values found. * * This and the rest of the handling of multiple attributes, DNs and URLs * are thanks to LaMont Jones. */ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage *res, VSTRING *result, const char *name) { static int recursion = 0; static int expansion; long entries = 0; long i = 0; int rc = 0; LDAPMessage *resloop = 0; LDAPMessage *entry = 0; BerElement *ber; char *attr; char **attrs; struct berval **vals; int valcount; LDAPURLDesc *url; const char *myname = "dict_ldap_get_values"; int is_leaf = 1; /* No recursion via this entry */ int is_terminal = 0; /* No expansion via this entry */ if (++recursion == 1) expansion = 0; if (msg_verbose) msg_info("%s[%d]: Search found %d match(es)", myname, recursion, ldap_count_entries(dict_ldap->ld, res)); for (entry = ldap_first_entry(dict_ldap->ld, res); entry != NULL; entry = ldap_next_entry(dict_ldap->ld, entry)) { ber = NULL; /* * LDAP should not, but may produce more than the requested maximum * number of entries. */ if (dict_ldap->dict.error == 0 && dict_ldap->size_limit && ++entries > dict_ldap->size_limit) { msg_warn("%s[%d]: %s: Query size limit (%ld) exceeded", myname, recursion, dict_ldap->parser->name, dict_ldap->size_limit); dict_ldap->dict.error = DICT_ERR_RETRY; } /* * Check for terminal attributes, these preclude expansion of all * other attributes, and DN/URI recursion. Any terminal attributes * are listed first in the attribute array. */ if (dict_ldap->num_terminal > 0) { for (i = 0; i < dict_ldap->num_terminal; ++i) { attr = dict_ldap->result_attributes->argv[i]; if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr))) continue; is_terminal = (ldap_count_values_len(vals) > 0); ldap_value_free_len(vals); if (is_terminal) break; } } /* * Check for special attributes, these preclude expansion of * "leaf-only" attributes, and are at the end of the attribute array * after the terminal, leaf and regular attributes. */ if (is_terminal == 0 && dict_ldap->num_leaf > 0) { for (i = dict_ldap->num_attributes; dict_ldap->result_attributes->argv[i]; ++i) { attr = dict_ldap->result_attributes->argv[i]; if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr))) continue; is_leaf = (ldap_count_values_len(vals) == 0); ldap_value_free_len(vals); if (!is_leaf) break; } } for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber); attr != NULL; ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld, entry, ber)) { vals = ldap_get_values_len(dict_ldap->ld, entry, attr); if (vals == NULL) { if (msg_verbose) msg_info("%s[%d]: Entry doesn't have any values for %s", myname, recursion, attr); continue; } valcount = ldap_count_values_len(vals); /* * If we previously encountered an error, we still continue * through the loop, to avoid memory leaks, but we don't waste * time accumulating any further results. * * XXX: There may be a more efficient way to exit the loop with no * leaks, but it will likely be more fragile and not worth the * extra code. */ if (dict_ldap->dict.error != 0 || valcount == 0) { ldap_value_free_len(vals); continue; } /* * The "result_attributes" list enumerates all the requested * attributes, first the ordinary result attributes and then the * special result attributes that hold DN or LDAP URL values. * * The number of ordinary attributes is "num_attributes". * * We compute the attribute type (ordinary or special) from its * index on the "result_attributes" list. */ for (i = 0; dict_ldap->result_attributes->argv[i]; i++) if (attrdesc_subtype(dict_ldap->result_attributes->argv[i], attr) > 0) break; /* * Append each returned address to the result list, possibly * recursing (for dn or url attributes of non-terminal entries) */ if (i < dict_ldap->num_attributes || is_terminal) { if ((is_terminal && i >= dict_ldap->num_terminal) || (!is_leaf && i < dict_ldap->num_terminal + dict_ldap->num_leaf)) { if (msg_verbose) msg_info("%s[%d]: skipping %d value(s) of %s " "attribute %s", myname, recursion, valcount, is_terminal ? "non-terminal" : "leaf-only", attr); } else { /* Ordinary result attribute */ for (i = 0; i < valcount; i++) { if (db_common_expand(dict_ldap->ctx, dict_ldap->result_format, vals[i]->bv_val, name, result, 0) && dict_ldap->expansion_limit > 0 && ++expansion > dict_ldap->expansion_limit) { msg_warn("%s[%d]: %s: Expansion limit exceeded " "for key: '%s'", myname, recursion, dict_ldap->parser->name, name); dict_ldap->dict.error = DICT_ERR_RETRY; break; } } if (dict_ldap->dict.error != 0) continue; if (msg_verbose) msg_info("%s[%d]: search returned %d value(s) for" " requested result attribute %s", myname, recursion, valcount, attr); } } else if (recursion < dict_ldap->recursion_limit && dict_ldap->result_attributes->argv[i]) { /* Special result attribute */ for (i = 0; i < valcount; i++) { if (ldap_is_ldap_url(vals[i]->bv_val)) { rc = ldap_url_parse(vals[i]->bv_val, &url); if (rc == 0) { if ((attrs = url_attrs(dict_ldap, url)) != 0) { if (msg_verbose) msg_info("%s[%d]: looking up URL %s", myname, recursion, vals[i]->bv_val); rc = search_st(dict_ldap->ld, url->lud_dn, url->lud_scope, url->lud_filter, attrs, dict_ldap->timeout, &resloop); } ldap_free_urldesc(url); if (attrs == 0) { if (msg_verbose) msg_info("%s[%d]: skipping URL %s: no " "pertinent attributes", myname, recursion, vals[i]->bv_val); continue; } } else { msg_warn("%s[%d]: malformed URL %s: %s(%d)", myname, recursion, vals[i]->bv_val, ldap_err2string(rc), rc); dict_ldap->dict.error = DICT_ERR_RETRY; break; } } else { if (msg_verbose) msg_info("%s[%d]: looking up DN %s", myname, recursion, vals[i]->bv_val); rc = search_st(dict_ldap->ld, vals[i]->bv_val, LDAP_SCOPE_BASE, "objectclass=*", dict_ldap->result_attributes->argv, dict_ldap->timeout, &resloop); } switch (rc) { case LDAP_SUCCESS: dict_ldap_get_values(dict_ldap, resloop, result, name); break; case LDAP_NO_SUCH_OBJECT: /* * Go ahead and treat this as though the DN existed * and just didn't have any result attributes. */ msg_warn("%s[%d]: DN %s not found, skipping ", myname, recursion, vals[i]->bv_val); break; default: msg_warn("%s[%d]: search error %d: %s ", myname, recursion, rc, ldap_err2string(rc)); dict_ldap->dict.error = DICT_ERR_RETRY; break; } if (resloop != 0) ldap_msgfree(resloop); if (dict_ldap->dict.error != 0) break; } if (msg_verbose && dict_ldap->dict.error == 0) msg_info("%s[%d]: search returned %d value(s) for" " special result attribute %s", myname, recursion, valcount, attr); } else if (recursion >= dict_ldap->recursion_limit && dict_ldap->result_attributes->argv[i]) { msg_warn("%s[%d]: %s: Recursion limit exceeded" " for special attribute %s=%s", myname, recursion, dict_ldap->parser->name, attr, vals[0]->bv_val); dict_ldap->dict.error = DICT_ERR_RETRY; } ldap_value_free_len(vals); } if (ber) ber_free(ber, 0); } if (msg_verbose) msg_info("%s[%d]: Leaving %s", myname, recursion, myname); --recursion; } /* dict_ldap_lookup - find database entry */ static const char *dict_ldap_lookup(DICT *dict, const char *name) { const char *myname = "dict_ldap_lookup"; DICT_LDAP *dict_ldap = (DICT_LDAP *) dict; LDAPMessage *res = 0; static VSTRING *base; static VSTRING *query; static VSTRING *result; int rc = 0; int sizelimit; int domain_rc; dict_ldap->dict.error = 0; if (msg_verbose) msg_info("%s: In dict_ldap_lookup", myname); /* * Don't frustrate future attempts to make Postfix UTF-8 transparent. */ if ((dict->flags & DICT_FLAG_UTF8_ACTIVE) == 0 && !valid_utf8_string(name, strlen(name))) { if (msg_verbose) msg_info("%s: %s: Skipping lookup of non-UTF-8 key '%s'", myname, dict_ldap->parser->name, name); return (0); } /* * Optionally fold the key. */ if (dict->flags & DICT_FLAG_FOLD_FIX) { if (dict->fold_buf == 0) dict->fold_buf = vstring_alloc(10); vstring_strcpy(dict->fold_buf, name); name = lowercase(vstring_str(dict->fold_buf)); } /* * If they specified a domain list for this map, then only search for * addresses in domains on the list. This can significantly reduce the * load on the LDAP server. */ if ((domain_rc = db_common_check_domain(dict_ldap->ctx, name)) == 0) { if (msg_verbose) msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch", myname, dict_ldap->parser->name, name); return (0); } if (domain_rc < 0) DICT_ERR_VAL_RETURN(dict, domain_rc, (char *) 0); #define INIT_VSTR(buf, len) do { \ if (buf == 0) \ buf = vstring_alloc(len); \ VSTRING_RESET(buf); \ VSTRING_TERMINATE(buf); \ } while (0) INIT_VSTR(base, 10); INIT_VSTR(query, 10); INIT_VSTR(result, 10); /* * Because the connection may be shared and invalidated via queries for * another map, update private copy of "ld" from shared connection * container. */ dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld; /* * Connect to the LDAP server, if necessary. */ if (dict_ldap->ld == NULL) { if (msg_verbose) msg_info ("%s: No existing connection for LDAP source %s, reopening", myname, dict_ldap->parser->name); dict_ldap_connect(dict_ldap); /* * if dict_ldap_connect() set dict_ldap->dict.error, abort. */ if (dict_ldap->dict.error) return (0); } else if (msg_verbose) msg_info("%s: Using existing connection for LDAP source %s", myname, dict_ldap->parser->name); /* * Connection caching, means that the connection handle may have the * wrong size limit. Re-adjust before each query. This is cheap, just * sets a field in the ldap connection handle. We also do this in the * connect code, because we sometimes reconnect (below) in the middle of * a query. */ sizelimit = dict_ldap->size_limit ? dict_ldap->size_limit : LDAP_NO_LIMIT; if (ldap_set_option(dict_ldap->ld, LDAP_OPT_SIZELIMIT, &sizelimit) != LDAP_OPT_SUCCESS) { msg_warn("%s: %s: Unable to set query result size limit to %ld.", myname, dict_ldap->parser->name, dict_ldap->size_limit); dict_ldap->dict.error = DICT_ERR_RETRY; return (0); } /* * Expand the search base and query. Skip lookup when the input key lacks * sufficient domain components to satisfy all the requested * %-substitutions. * * When the search base is not static, LDAP_NO_SUCH_OBJECT is expected and * is therefore treated as a non-error: the lookup returns no results * rather than a soft error. */ if (!db_common_expand(dict_ldap->ctx, dict_ldap->search_base, name, 0, base, rfc2253_quote)) { if (msg_verbose > 1) msg_info("%s: %s: Empty expansion for %s", myname, dict_ldap->parser->name, dict_ldap->search_base); return (0); } if (!db_common_expand(dict_ldap->ctx, dict_ldap->query, name, 0, query, rfc2254_quote)) { if (msg_verbose > 1) msg_info("%s: %s: Empty expansion for %s", myname, dict_ldap->parser->name, dict_ldap->query); return (0); } /* * On to the search. */ if (msg_verbose) msg_info("%s: %s: Searching with filter %s", myname, dict_ldap->parser->name, vstring_str(query)); rc = search_st(dict_ldap->ld, vstring_str(base), dict_ldap->scope, vstring_str(query), dict_ldap->result_attributes->argv, dict_ldap->timeout, &res); if (rc == LDAP_SERVER_DOWN) { if (msg_verbose) msg_info("%s: Lost connection for LDAP source %s, reopening", myname, dict_ldap->parser->name); dict_ldap_unbind(dict_ldap->ld); dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0; dict_ldap_connect(dict_ldap); /* * if dict_ldap_connect() set dict_ldap->dict.error, abort. */ if (dict_ldap->dict.error) return (0); rc = search_st(dict_ldap->ld, vstring_str(base), dict_ldap->scope, vstring_str(query), dict_ldap->result_attributes->argv, dict_ldap->timeout, &res); } switch (rc) { case LDAP_SUCCESS: /* * Search worked; extract the requested result_attribute. */ dict_ldap_get_values(dict_ldap, res, result, name); /* * OpenLDAP's ldap_next_attribute returns a bogus * LDAP_DECODING_ERROR; I'm ignoring that for now. */ rc = dict_ldap_get_errno(dict_ldap->ld); if (rc != LDAP_SUCCESS && rc != LDAP_DECODING_ERROR) msg_warn ("%s: Had some trouble with entries returned by search: %s", myname, ldap_err2string(rc)); if (msg_verbose) msg_info("%s: Search returned %s", myname, VSTRING_LEN(result) > 0 ? vstring_str(result) : "nothing"); break; case LDAP_NO_SUCH_OBJECT: /* * If the search base is input key dependent, then not finding it, is * equivalent to not finding the input key. Sadly, we cannot detect * misconfiguration in this case. */ if (dict_ldap->dynamic_base) break; msg_warn("%s: %s: Search base '%s' not found: %d: %s", myname, dict_ldap->parser->name, vstring_str(base), rc, ldap_err2string(rc)); dict_ldap->dict.error = DICT_ERR_RETRY; break; default: /* * Rats. The search didn't work. */ msg_warn("%s: Search error %d: %s ", myname, rc, ldap_err2string(rc)); /* * Tear down the connection so it gets set up from scratch on the * next lookup. */ dict_ldap_unbind(dict_ldap->ld); dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0; /* * And tell the caller to try again later. */ dict_ldap->dict.error = DICT_ERR_RETRY; break; } /* * Cleanup. */ if (res != 0) ldap_msgfree(res); /* * If we had an error, return nothing, Otherwise, return the result, if * any. */ return (VSTRING_LEN(result) > 0 && !dict_ldap->dict.error ? vstring_str(result) : 0); } /* dict_ldap_close - disassociate from data base */ static void dict_ldap_close(DICT *dict) { const char *myname = "dict_ldap_close"; DICT_LDAP *dict_ldap = (DICT_LDAP *) dict; LDAP_CONN *conn = DICT_LDAP_CONN(dict_ldap); BINHASH_INFO *ht = dict_ldap->ht; if (--conn->conn_refcount == 0) { if (conn->conn_ld) { if (msg_verbose) msg_info("%s: Closed connection handle for LDAP source %s", myname, dict_ldap->parser->name); dict_ldap_unbind(conn->conn_ld); } binhash_delete(conn_hash, ht->key, ht->key_len, myfree); } cfg_parser_free(dict_ldap->parser); myfree(dict_ldap->server_host); myfree(dict_ldap->search_base); myfree(dict_ldap->query); if (dict_ldap->result_format) myfree(dict_ldap->result_format); argv_free(dict_ldap->result_attributes); myfree(dict_ldap->bind_dn); myfree(dict_ldap->bind_pw); if (dict_ldap->ctx) db_common_free_ctx(dict_ldap->ctx); #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) if (DICT_LDAP_DO_SASL(dict_ldap)) { myfree(dict_ldap->sasl_mechs); myfree(dict_ldap->sasl_realm); myfree(dict_ldap->sasl_authz); } #endif myfree(dict_ldap->tls_ca_cert_file); myfree(dict_ldap->tls_ca_cert_dir); myfree(dict_ldap->tls_cert); myfree(dict_ldap->tls_key); myfree(dict_ldap->tls_random_file); myfree(dict_ldap->tls_cipher_suite); #endif if (dict->fold_buf) vstring_free(dict->fold_buf); dict_free(dict); } /* dict_ldap_open - create association with data base */ DICT *dict_ldap_open(const char *ldapsource, int open_flags, int dict_flags) { const char *myname = "dict_ldap_open"; DICT_LDAP *dict_ldap; VSTRING *url_list; char *s; char *h; char *server_host; char *scope; char *attr; char *bindopt; int tmp; int vendor_version = dict_ldap_vendor_version(); CFG_PARSER *parser; if (msg_verbose) msg_info("%s: Using LDAP source %s", myname, ldapsource); /* * Sanity check. */ if (open_flags != O_RDONLY) return (dict_surrogate(DICT_TYPE_LDAP, ldapsource, open_flags, dict_flags, "%s:%s map requires O_RDONLY access mode", DICT_TYPE_LDAP, ldapsource)); /* * Open the configuration file. */ if ((parser = cfg_parser_alloc(ldapsource)) == 0) return (dict_surrogate(DICT_TYPE_LDAP, ldapsource, open_flags, dict_flags, "open %s: %m", ldapsource)); dict_ldap = (DICT_LDAP *) dict_alloc(DICT_TYPE_LDAP, ldapsource, sizeof(*dict_ldap)); dict_ldap->dict.lookup = dict_ldap_lookup; dict_ldap->dict.close = dict_ldap_close; dict_ldap->dict.flags = dict_flags; dict_ldap->ld = NULL; dict_ldap->parser = parser; server_host = cfg_get_str(dict_ldap->parser, "server_host", "localhost", 1, 0); /* * get configured value of "server_port"; default to LDAP_PORT (389) */ dict_ldap->server_port = cfg_get_int(dict_ldap->parser, "server_port", LDAP_PORT, 0, 0); /* * Define LDAP Protocol Version. */ dict_ldap->version = cfg_get_int(dict_ldap->parser, "version", 2, 2, 0); switch (dict_ldap->version) { case 2: dict_ldap->version = LDAP_VERSION2; break; case 3: dict_ldap->version = LDAP_VERSION3; break; default: msg_warn("%s: %s Unknown version %d, using 2.", myname, ldapsource, dict_ldap->version); dict_ldap->version = LDAP_VERSION2; } #if defined(LDAP_API_FEATURE_X_OPENLDAP) dict_ldap->ldap_ssl = 0; #endif url_list = vstring_alloc(32); s = server_host; while ((h = mystrtok(&s, CHARS_COMMA_SP)) != NULL) { #if defined(LDAP_API_FEATURE_X_OPENLDAP) /* * Convert (host, port) pairs to LDAP URLs */ if (ldap_is_ldap_url(h)) { LDAPURLDesc *url_desc; int rc; if ((rc = ldap_url_parse(h, &url_desc)) != 0) { msg_error("%s: error parsing URL %s: %d: %s; skipping", myname, h, rc, ldap_err2string(rc)); continue; } if (strcasecmp(url_desc->lud_scheme, "ldap") != 0 && dict_ldap->version != LDAP_VERSION3) { msg_warn("%s: URL scheme %s requires protocol version 3", myname, url_desc->lud_scheme); dict_ldap->version = LDAP_VERSION3; } if (strcasecmp(url_desc->lud_scheme, "ldaps") == 0) dict_ldap->ldap_ssl = 1; ldap_free_urldesc(url_desc); if (VSTRING_LEN(url_list) > 0) VSTRING_ADDCH(url_list, ' '); vstring_strcat(url_list, h); } else { if (VSTRING_LEN(url_list) > 0) VSTRING_ADDCH(url_list, ' '); if (strrchr(h, ':')) vstring_sprintf_append(url_list, "ldap://%s", h); else vstring_sprintf_append(url_list, "ldap://%s:%d", h, dict_ldap->server_port); } #else if (VSTRING_LEN(url_list) > 0) VSTRING_ADDCH(url_list, ' '); vstring_strcat(url_list, h); #endif } VSTRING_TERMINATE(url_list); dict_ldap->server_host = vstring_export(url_list); #if defined(LDAP_API_FEATURE_X_OPENLDAP) /* * With URL scheme, clear port to normalize connection cache key */ dict_ldap->server_port = LDAP_PORT; if (msg_verbose) msg_info("%s: %s server_host URL is %s", myname, ldapsource, dict_ldap->server_host); #endif myfree(server_host); /* * Scope handling thanks to Carsten Hoeger of SuSE. */ scope = cfg_get_str(dict_ldap->parser, "scope", "sub", 1, 0); if (strcasecmp(scope, "one") == 0) { dict_ldap->scope = LDAP_SCOPE_ONELEVEL; } else if (strcasecmp(scope, "base") == 0) { dict_ldap->scope = LDAP_SCOPE_BASE; } else if (strcasecmp(scope, "sub") == 0) { dict_ldap->scope = LDAP_SCOPE_SUBTREE; } else { msg_warn("%s: %s: Unrecognized value %s specified for scope; using sub", myname, ldapsource, scope); dict_ldap->scope = LDAP_SCOPE_SUBTREE; } myfree(scope); dict_ldap->search_base = cfg_get_str(dict_ldap->parser, "search_base", "", 0, 0); /* * get configured value of "timeout"; default to 10 seconds * * Thanks to Manuel Guesdon for spotting that this wasn't really getting * set. */ dict_ldap->timeout = cfg_get_int(dict_ldap->parser, "timeout", 10, 0, 0); dict_ldap->query = cfg_get_str(dict_ldap->parser, "query_filter", "(mailacceptinggeneralid=%s)", 0, 0); if ((dict_ldap->result_format = cfg_get_str(dict_ldap->parser, "result_format", 0, 0, 0)) == 0) dict_ldap->result_format = cfg_get_str(dict_ldap->parser, "result_filter", "%s", 1, 0); /* * Must parse all templates before we can use db_common_expand() If data * dependent substitutions are found in the search base, treat * NO_SUCH_OBJECT search errors as a non-matching key, rather than a * fatal run-time error. */ dict_ldap->ctx = 0; dict_ldap->dynamic_base = db_common_parse(&dict_ldap->dict, &dict_ldap->ctx, dict_ldap->search_base, 1); if (!db_common_parse(0, &dict_ldap->ctx, dict_ldap->query, 1)) { msg_warn("%s: %s: Fixed query_filter %s is probably useless", myname, ldapsource, dict_ldap->query); } (void) db_common_parse(0, &dict_ldap->ctx, dict_ldap->result_format, 0); db_common_parse_domain(dict_ldap->parser, dict_ldap->ctx); /* * Maps that use substring keys should only be used with the full input * key. */ if (db_common_dict_partial(dict_ldap->ctx)) dict_ldap->dict.flags |= DICT_FLAG_PATTERN; else dict_ldap->dict.flags |= DICT_FLAG_FIXED; if (dict_flags & DICT_FLAG_FOLD_FIX) dict_ldap->dict.fold_buf = vstring_alloc(10); /* Order matters, first the terminal attributes: */ attr = cfg_get_str(dict_ldap->parser, "terminal_result_attribute", "", 0, 0); dict_ldap->result_attributes = argv_split(attr, CHARS_COMMA_SP); dict_ldap->num_terminal = dict_ldap->result_attributes->argc; myfree(attr); /* Order matters, next the leaf-only attributes: */ attr = cfg_get_str(dict_ldap->parser, "leaf_result_attribute", "", 0, 0); if (*attr) argv_split_append(dict_ldap->result_attributes, attr, CHARS_COMMA_SP); dict_ldap->num_leaf = dict_ldap->result_attributes->argc - dict_ldap->num_terminal; myfree(attr); /* Order matters, next the regular attributes: */ attr = cfg_get_str(dict_ldap->parser, "result_attribute", "maildrop", 0, 0); if (*attr) argv_split_append(dict_ldap->result_attributes, attr, CHARS_COMMA_SP); dict_ldap->num_attributes = dict_ldap->result_attributes->argc; myfree(attr); /* Order matters, finally the special attributes: */ attr = cfg_get_str(dict_ldap->parser, "special_result_attribute", "", 0, 0); if (*attr) argv_split_append(dict_ldap->result_attributes, attr, CHARS_COMMA_SP); myfree(attr); /* * get configured value of "bind"; default to simple bind */ bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0); dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt); if (dict_ldap->bind < 0) msg_fatal("%s: unsupported parameter value: %s = %s", dict_ldap->parser->name, "bind", bindopt); myfree(bindopt); /* * get configured value of "bind_dn"; default to "" */ dict_ldap->bind_dn = cfg_get_str(dict_ldap->parser, "bind_dn", "", 0, 0); /* * get configured value of "bind_pw"; default to "" */ dict_ldap->bind_pw = cfg_get_str(dict_ldap->parser, "bind_pw", "", 0, 0); /* * LDAP message caching never worked and is no longer supported. */ tmp = cfg_get_bool(dict_ldap->parser, "cache", 0); if (tmp) msg_warn("%s: %s ignoring cache", myname, ldapsource); tmp = cfg_get_int(dict_ldap->parser, "cache_expiry", -1, 0, 0); if (tmp >= 0) msg_warn("%s: %s ignoring cache_expiry", myname, ldapsource); tmp = cfg_get_int(dict_ldap->parser, "cache_size", -1, 0, 0); if (tmp >= 0) msg_warn("%s: %s ignoring cache_size", myname, ldapsource); dict_ldap->recursion_limit = cfg_get_int(dict_ldap->parser, "recursion_limit", 1000, 1, 0); /* * XXX: The default should be non-zero for safety, but that is not * backwards compatible. */ dict_ldap->expansion_limit = cfg_get_int(dict_ldap->parser, "expansion_limit", 0, 0, 0); dict_ldap->size_limit = cfg_get_int(dict_ldap->parser, "size_limit", dict_ldap->expansion_limit, 0, 0); /* * Alias dereferencing suggested by Mike Mattice. */ dict_ldap->dereference = cfg_get_int(dict_ldap->parser, "dereference", 0, 0, 0); if (dict_ldap->dereference < 0 || dict_ldap->dereference > 3) { msg_warn("%s: %s Unrecognized value %d specified for dereference; using 0", myname, ldapsource, dict_ldap->dereference); dict_ldap->dereference = 0; } /* Referral chasing */ dict_ldap->chase_referrals = cfg_get_bool(dict_ldap->parser, "chase_referrals", 0); #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) /* * SASL options */ if (DICT_LDAP_DO_SASL(dict_ldap)) { dict_ldap->sasl_mechs = cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0); dict_ldap->sasl_realm = cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0); dict_ldap->sasl_authz = cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0); dict_ldap->sasl_minssf = cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096); } else { dict_ldap->sasl_mechs = 0; dict_ldap->sasl_realm = 0; dict_ldap->sasl_authz = 0; } #endif /* * TLS options */ /* get configured value of "start_tls"; default to no */ dict_ldap->start_tls = cfg_get_bool(dict_ldap->parser, "start_tls", 0); if (dict_ldap->start_tls) { if (dict_ldap->version < LDAP_VERSION3) { msg_warn("%s: %s start_tls requires protocol version 3", myname, ldapsource); dict_ldap->version = LDAP_VERSION3; } /* Binary incompatibility in the OpenLDAP API from 2.0.11 to 2.0.12 */ if (((LDAP_VENDOR_VERSION <= 20011) && !(vendor_version <= 20011)) || (!(LDAP_VENDOR_VERSION <= 20011) && (vendor_version <= 20011))) msg_fatal("%s: incompatible TLS support: " "compile-time OpenLDAP version %d, " "run-time OpenLDAP version %d", myname, LDAP_VENDOR_VERSION, vendor_version); } /* get configured value of "tls_require_cert"; default to no */ dict_ldap->tls_require_cert = cfg_get_bool(dict_ldap->parser, "tls_require_cert", 0) ? LDAP_OPT_X_TLS_DEMAND : LDAP_OPT_X_TLS_NEVER; /* get configured value of "tls_ca_cert_file"; default "" */ dict_ldap->tls_ca_cert_file = cfg_get_str(dict_ldap->parser, "tls_ca_cert_file", "", 0, 0); /* get configured value of "tls_ca_cert_dir"; default "" */ dict_ldap->tls_ca_cert_dir = cfg_get_str(dict_ldap->parser, "tls_ca_cert_dir", "", 0, 0); /* get configured value of "tls_cert"; default "" */ dict_ldap->tls_cert = cfg_get_str(dict_ldap->parser, "tls_cert", "", 0, 0); /* get configured value of "tls_key"; default "" */ dict_ldap->tls_key = cfg_get_str(dict_ldap->parser, "tls_key", "", 0, 0); /* get configured value of "tls_random_file"; default "" */ dict_ldap->tls_random_file = cfg_get_str(dict_ldap->parser, "tls_random_file", "", 0, 0); /* get configured value of "tls_cipher_suite"; default "" */ dict_ldap->tls_cipher_suite = cfg_get_str(dict_ldap->parser, "tls_cipher_suite", "", 0, 0); #endif /* * Debug level. */ #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(LBER_OPT_LOG_PRINT_FN) dict_ldap->debuglevel = cfg_get_int(dict_ldap->parser, "debuglevel", 0, 0, 0); #endif /* * Find or allocate shared LDAP connection container. */ dict_ldap_conn_find(dict_ldap); /* * Return the new dict_ldap structure. */ dict_ldap->dict.owner = cfg_get_owner(dict_ldap->parser); return (DICT_DEBUG (&dict_ldap->dict)); } #endif