diff options
Diffstat (limited to '')
-rw-r--r-- | contrib/slapd-modules/lastbind/Makefile | 73 | ||||
-rw-r--r-- | contrib/slapd-modules/lastbind/lastbind.c | 311 | ||||
-rw-r--r-- | contrib/slapd-modules/lastbind/slapo-lastbind.5 | 118 |
3 files changed, 502 insertions, 0 deletions
diff --git a/contrib/slapd-modules/lastbind/Makefile b/contrib/slapd-modules/lastbind/Makefile new file mode 100644 index 0000000..02e5931 --- /dev/null +++ b/contrib/slapd-modules/lastbind/Makefile @@ -0,0 +1,73 @@ +# $OpenLDAP$ +# Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +PLAT = UNIX +NT_LIB = -L$(LDAP_BUILD)/servers/slapd -lslapd +NT_LDFLAGS = -no-undefined -avoid-version +UNIX_LDFLAGS = -version-info $(LTVER) + +LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install +CC = gcc +OPT = -g -O2 +DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $($(PLAT)_LIB) $(LDAP_LIB) +LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module + +PROGRAMS = lastbind.la +MANPAGES = slapo-lastbind.5 +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +lastbind.la: lastbind.lo + $(LIBTOOL) --mode=link $(CC) $(LD_FLAGS) -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/lastbind/lastbind.c b/contrib/slapd-modules/lastbind/lastbind.c new file mode 100644 index 0000000..4361a46 --- /dev/null +++ b/contrib/slapd-modules/lastbind/lastbind.c @@ -0,0 +1,311 @@ +/* lastbind.c - Record timestamp of the last successful bind to entries */ +/* $OpenLDAP$ */ +/* + * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work is loosely derived from the ppolicy overlay. + */ + +#include "portable.h" + +/* + * This file implements an overlay that stores the timestamp of the + * last successful bind operation in a directory entry. + * + * Optimization: to avoid performing a write on each bind, + * a precision for this timestamp may be configured on the database, + * causing it to only be updated if it is older than a given number + * of seconds. + */ + +#ifdef SLAPD_OVER_LASTBIND + +#include <ldap.h> +#include "lutil.h" +#include "slap.h" +#include <ac/errno.h> +#include <ac/time.h> +#include <ac/string.h> +#include <ac/ctype.h> +#include "slap-config.h" + +/* Per-instance configuration information */ +typedef struct lastbind_info { + int forward_updates; /* use frontend for authTimestamp updates */ +} lastbind_info; + +/* Operational attributes */ +static AttributeDescription *ad_authTimestamp; + +/* This is the definition used by ISODE, as supplied to us in + * ITS#6238 Followup #9 + */ +static struct schema_info { + char *def; + AttributeDescription **ad; +} lastBind_OpSchema[] = { + { "( 1.3.6.1.4.1.453.16.2.188 " + "NAME 'authTimestamp' " + "DESC 'last successful authentication using any method/mech' " + "EQUALITY generalizedTimeMatch " + "ORDERING generalizedTimeOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " + "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )", + &ad_authTimestamp}, + { NULL, NULL } +}; + +/* configuration attribute and objectclass */ +static ConfigTable lastbindcfg[] = { + { "lastbind_forward_updates", "on|off", 1, 2, 0, + ARG_ON_OFF|ARG_OFFSET, + (void *)offsetof(lastbind_info,forward_updates), + "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' " + "DESC 'Allow authTimestamp updates to be forwarded via updateref' " + "EQUALITY booleanMatch " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigOCs lastbindocs[] = { + { "( OLcfgCtOc:5.1 " + "NAME 'olcLastBindConfig' " + "DESC 'Last Bind configuration' " + "SUP olcOverlayConfig " + "MAY ( olcLastBindForwardUpdates) )", + Cft_Overlay, lastbindcfg, NULL, NULL }, + { NULL, 0, NULL } +}; + +static time_t +parse_time( char *atm ) +{ + struct lutil_tm tm; + struct lutil_timet tt; + time_t ret = (time_t)-1; + + if ( lutil_parsetime( atm, &tm ) == 0) { + lutil_tm2time( &tm, &tt ); + ret = tt.tt_sec; + } + return ret; +} + +static int +lastbind_bind_response( Operation *op, SlapReply *rs ) +{ + Modifications *mod = NULL; + BackendInfo *bi = op->o_bd->bd_info; + Entry *e; + int rc; + + /* we're only interested if the bind was successful */ + if ( rs->sr_err != LDAP_SUCCESS ) + return SLAP_CB_CONTINUE; + + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); + op->o_bd->bd_info = bi; + + if ( rc != LDAP_SUCCESS ) { + return SLAP_CB_CONTINUE; + } + + { + lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; + + time_t now, bindtime = (time_t)-1; + Attribute *a; + Modifications *m; + char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ]; + struct berval timestamp; + + /* get the current time */ + now = slap_get_time(); + + /* get authTimestamp attribute, if it exists */ + if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) { + bindtime = parse_time( a->a_nvals[0].bv_val ); + + if (bindtime != (time_t)-1) { + /* if the recorded bind time is within our precision, we're done + * it doesn't need to be updated (save a write for nothing) */ + if ((now - bindtime) < op->o_bd->be_lastbind_precision) { + goto done; + } + } + } + + /* update the authTimestamp in the user's entry with the current time */ + timestamp.bv_val = nowstr; + timestamp.bv_len = sizeof(nowstr); + slap_timestamp( &now, ×tamp ); + + m = ch_calloc( sizeof(Modifications), 1 ); + m->sml_op = LDAP_MOD_REPLACE; + m->sml_flags = 0; + m->sml_type = ad_authTimestamp->ad_cname; + m->sml_desc = ad_authTimestamp; + m->sml_numvals = 1; + m->sml_values = ch_calloc( sizeof(struct berval), 2 ); + m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 ); + + ber_dupbv( &m->sml_values[0], ×tamp ); + ber_dupbv( &m->sml_nvalues[0], ×tamp ); + m->sml_next = mod; + mod = m; + } + +done: + be_entry_release_r( op, e ); + + /* perform the update, if necessary */ + if ( mod ) { + Operation op2 = *op; + SlapReply r2 = { REP_RESULT }; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + LDAPControl c, *ca[2]; + lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; + + /* This is a DSA-specific opattr, it never gets replicated. */ + op2.o_tag = LDAP_REQ_MODIFY; + op2.o_callback = &cb; + op2.orm_modlist = mod; + op2.orm_no_opattrs = 0; + op2.o_dn = op->o_bd->be_rootdn; + op2.o_ndn = op->o_bd->be_rootndn; + + /* + * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy + * + * If this server is a shadow and forward_updates is true, + * use the frontend to perform this modify. That will trigger + * the update referral, which can then be forwarded by the + * chain overlay. Obviously the updateref and chain overlay + * must be configured appropriately for this to be useful. + */ + if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) { + op2.o_bd = frontendDB; + + /* Must use Relax control since these are no-user-mod */ + op2.o_relax = SLAP_CONTROL_CRITICAL; + op2.o_ctrls = ca; + ca[0] = &c; + ca[1] = NULL; + BER_BVZERO( &c.ldctl_value ); + c.ldctl_iscritical = 1; + c.ldctl_oid = LDAP_CONTROL_RELAX; + } else { + /* If not forwarding, don't update opattrs and don't replicate */ + if ( SLAP_SINGLE_SHADOW( op->o_bd )) { + op2.orm_no_opattrs = 1; + op2.o_dont_replicate = 1; + } + /* TODO: not sure what this does in slapo-ppolicy */ + /* + op2.o_bd->bd_info = (BackendInfo *)on->on_info; + */ + } + + rc = op2.o_bd->be_modify( &op2, &r2 ); + slap_mods_free( mod, 1 ); + } + + op->o_bd->bd_info = bi; + return SLAP_CB_CONTINUE; +} + +static int +lastbind_bind( Operation *op, SlapReply *rs ) +{ + slap_callback *cb; + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + + /* setup a callback to intercept result of this bind operation + * and pass along the lastbind_info struct */ + cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx ); + cb->sc_response = lastbind_bind_response; + cb->sc_next = op->o_callback->sc_next; + cb->sc_private = on->on_bi.bi_private; + op->o_callback->sc_next = cb; + + return SLAP_CB_CONTINUE; +} + +static int +lastbind_db_init( + BackendDB *be, + ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + + /* initialize private structure to store configuration */ + on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) ); + + return 0; +} + +static int +lastbind_db_close( + BackendDB *be, + ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private; + + /* free private structure to store configuration */ + free( lbi ); + + return 0; +} + +static slap_overinst lastbind; + +int lastbind_initialize() +{ + int i, code; + + /* register operational schema for this overlay (authTimestamp attribute) */ + for (i=0; lastBind_OpSchema[i].def; i++) { + code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "lastbind_initialize: register_at failed\n" ); + return code; + } + } + + ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE; + + lastbind.on_bi.bi_type = "lastbind"; + lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE; + lastbind.on_bi.bi_db_init = lastbind_db_init; + lastbind.on_bi.bi_db_close = lastbind_db_close; + lastbind.on_bi.bi_op_bind = lastbind_bind; + + /* register configuration directives */ + lastbind.on_bi.bi_cf_ocs = lastbindocs; + code = config_register_schema( lastbindcfg, lastbindocs ); + if ( code ) return code; + + return overlay_register( &lastbind ); +} + +#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + return lastbind_initialize(); +} +#endif + +#endif /* defined(SLAPD_OVER_LASTBIND) */ diff --git a/contrib/slapd-modules/lastbind/slapo-lastbind.5 b/contrib/slapd-modules/lastbind/slapo-lastbind.5 new file mode 100644 index 0000000..82d666d --- /dev/null +++ b/contrib/slapd-modules/lastbind/slapo-lastbind.5 @@ -0,0 +1,118 @@ +.TH SLAPO-LASTBIND 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2009 Jonathan Clarke, All Rights Reserved. +.\" $OpenLDAP$ +.SH NAME +slapo-lastbind \- lastbind overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B lastbind +overlay to +.BR slapd (8) +allows recording the timestamp of the last successful bind to entries +in the directory, in the +.B authTimestamp +attribute. +The overlay can be configured to update this timestamp only if it is +older than a given value, thus avoiding large numbers of write +operations penalizing performance. +One sample use for this overlay would be to detect unused accounts. + +Now that OpenLDAP has native support for most of this functionality, +storing the value in pwdLastSuccess to better interact with the Behera +Password Policy draft 10. Unless you require lastbind_forward_updates, +you should consider using that instead. + +.SH CONFIGURATION +The config directives that are specific to the +.B lastbind +overlay must be prefixed by +.BR lastbind\- , +to avoid potential conflicts with directives specific to the underlying +database or to other stacked overlays. + +.TP +.B overlay lastbind +This directive adds the +.B lastbind +overlay to the current database, see +.BR slapd.conf (5) +for details. + +.LP +This +.B slapd.conf +configuration option is defined for the lastbind overlay. It must +appear after the +.B overlay +directive: +.TP +.B lastbind-precision <seconds> +The value +.B <seconds> +is the number of seconds after which to update the +.B authTimestamp +attribute in an entry. If the existing value of +.B authTimestamp +is less than +.B <seconds> +old, it will not be changed. +If this configuration option is omitted, the +.B authTimestamp +attribute is updated on each successful bind operation. +.TP +.B lastbind_forward_updates +Specify that updates of the authTimestamp attribute +on a consumer should be forwarded +to a provider instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. + +.SH EXAMPLE +This example configures the +.B lastbind +overlay to store +.B authTimestamp +in all entries in a database, with a 1 week precision. +Add the following to +.BR slapd.conf (5): + +.LP +.nf + database <database> + # ... + + overlay lastbind + lastbind-precision 604800 +.fi +.LP +.B slapd +must also load +.B lastbind.la, +if compiled as a run-time module; + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8). +.LP +IETF LDAP password policy proposal by P. Behera, L. Poitou and J. +Sermersheim: documented in IETF document +"draft-behera-ldap-password-policy-10.txt". + +The +.BR slapo-lastbind (5) +overlay supports dynamic configuration via +.BR back-config. +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2009 by Jonathan Clarke. It is loosely +derived from the password policy overlay. |