summaryrefslogtreecommitdiffstats
path: root/contrib/slapd-modules/lastbind/lastbind.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:35:32 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:35:32 +0000
commit5ea77a75dd2d2158401331879f3c8f47940a732c (patch)
treed89dc06e9f4850a900f161e25f84e922c4f86cc8 /contrib/slapd-modules/lastbind/lastbind.c
parentInitial commit. (diff)
downloadopenldap-5ea77a75dd2d2158401331879f3c8f47940a732c.tar.xz
openldap-5ea77a75dd2d2158401331879f3c8f47940a732c.zip
Adding upstream version 2.5.13+dfsg.upstream/2.5.13+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--contrib/slapd-modules/lastbind/lastbind.c320
1 files changed, 320 insertions, 0 deletions
diff --git a/contrib/slapd-modules/lastbind/lastbind.c b/contrib/slapd-modules/lastbind/lastbind.c
new file mode 100644
index 0000000..bd8e782
--- /dev/null
+++ b/contrib/slapd-modules/lastbind/lastbind.c
@@ -0,0 +1,320 @@
+/* lastbind.c - Record timestamp of the last successful bind to entries */
+/* $OpenLDAP$ */
+/*
+ * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work is loosely derived from the ppolicy overlay.
+ */
+
+#include "portable.h"
+
+/*
+ * This file implements an overlay that stores the timestamp of the
+ * last successful bind operation in a directory entry.
+ *
+ * Optimization: to avoid performing a write on each bind,
+ * a precision for this timestamp may be configured, causing it to
+ * only be updated if it is older than a given number of seconds.
+ */
+
+#ifdef SLAPD_OVER_LASTBIND
+
+#include <ldap.h>
+#include "lutil.h"
+#include "slap.h"
+#include <ac/errno.h>
+#include <ac/time.h>
+#include <ac/string.h>
+#include <ac/ctype.h>
+#include "slap-config.h"
+
+/* Per-instance configuration information */
+typedef struct lastbind_info {
+ /* precision to update timestamp in authTimestamp attribute */
+ int timestamp_precision;
+ int forward_updates; /* use frontend for authTimestamp updates */
+} lastbind_info;
+
+/* Operational attributes */
+static AttributeDescription *ad_authTimestamp;
+
+/* This is the definition used by ISODE, as supplied to us in
+ * ITS#6238 Followup #9
+ */
+static struct schema_info {
+ char *def;
+ AttributeDescription **ad;
+} lastBind_OpSchema[] = {
+ { "( 1.3.6.1.4.1.453.16.2.188 "
+ "NAME 'authTimestamp' "
+ "DESC 'last successful authentication using any method/mech' "
+ "EQUALITY generalizedTimeMatch "
+ "ORDERING generalizedTimeOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
+ "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
+ &ad_authTimestamp},
+ { NULL, NULL }
+};
+
+/* configuration attribute and objectclass */
+static ConfigTable lastbindcfg[] = {
+ { "lastbind-precision", "seconds", 2, 2, 0,
+ ARG_INT|ARG_OFFSET,
+ (void *)offsetof(lastbind_info, timestamp_precision),
+ "( OLcfgCtAt:5.1 "
+ "NAME 'olcLastBindPrecision' "
+ "DESC 'Precision of authTimestamp attribute' "
+ "EQUALITY integerMatch "
+ "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+ { "lastbind_forward_updates", "on|off", 1, 2, 0,
+ ARG_ON_OFF|ARG_OFFSET,
+ (void *)offsetof(lastbind_info,forward_updates),
+ "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' "
+ "DESC 'Allow authTimestamp updates to be forwarded via updateref' "
+ "EQUALITY booleanMatch "
+ "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+ { NULL, NULL, 0, 0, 0, ARG_IGNORED }
+};
+
+static ConfigOCs lastbindocs[] = {
+ { "( OLcfgCtOc:5.1 "
+ "NAME 'olcLastBindConfig' "
+ "DESC 'Last Bind configuration' "
+ "SUP olcOverlayConfig "
+ "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
+ Cft_Overlay, lastbindcfg, NULL, NULL },
+ { NULL, 0, NULL }
+};
+
+static time_t
+parse_time( char *atm )
+{
+ struct lutil_tm tm;
+ struct lutil_timet tt;
+ time_t ret = (time_t)-1;
+
+ if ( lutil_parsetime( atm, &tm ) == 0) {
+ lutil_tm2time( &tm, &tt );
+ ret = tt.tt_sec;
+ }
+ return ret;
+}
+
+static int
+lastbind_bind_response( Operation *op, SlapReply *rs )
+{
+ Modifications *mod = NULL;
+ BackendInfo *bi = op->o_bd->bd_info;
+ Entry *e;
+ int rc;
+
+ /* we're only interested if the bind was successful */
+ if ( rs->sr_err != LDAP_SUCCESS )
+ return SLAP_CB_CONTINUE;
+
+ rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
+ op->o_bd->bd_info = bi;
+
+ if ( rc != LDAP_SUCCESS ) {
+ return SLAP_CB_CONTINUE;
+ }
+
+ {
+ lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
+
+ time_t now, bindtime = (time_t)-1;
+ Attribute *a;
+ Modifications *m;
+ char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
+ struct berval timestamp;
+
+ /* get the current time */
+ now = slap_get_time();
+
+ /* get authTimestamp attribute, if it exists */
+ if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
+ bindtime = parse_time( a->a_nvals[0].bv_val );
+
+ if (bindtime != (time_t)-1) {
+ /* if the recorded bind time is within our precision, we're done
+ * it doesn't need to be updated (save a write for nothing) */
+ if ((now - bindtime) < lbi->timestamp_precision) {
+ goto done;
+ }
+ }
+ }
+
+ /* update the authTimestamp in the user's entry with the current time */
+ timestamp.bv_val = nowstr;
+ timestamp.bv_len = sizeof(nowstr);
+ slap_timestamp( &now, &timestamp );
+
+ m = ch_calloc( sizeof(Modifications), 1 );
+ m->sml_op = LDAP_MOD_REPLACE;
+ m->sml_flags = 0;
+ m->sml_type = ad_authTimestamp->ad_cname;
+ m->sml_desc = ad_authTimestamp;
+ m->sml_numvals = 1;
+ m->sml_values = ch_calloc( sizeof(struct berval), 2 );
+ m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
+
+ ber_dupbv( &m->sml_values[0], &timestamp );
+ ber_dupbv( &m->sml_nvalues[0], &timestamp );
+ m->sml_next = mod;
+ mod = m;
+ }
+
+done:
+ be_entry_release_r( op, e );
+
+ /* perform the update, if necessary */
+ if ( mod ) {
+ Operation op2 = *op;
+ SlapReply r2 = { REP_RESULT };
+ slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
+ LDAPControl c, *ca[2];
+ lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
+
+ /* This is a DSA-specific opattr, it never gets replicated. */
+ op2.o_tag = LDAP_REQ_MODIFY;
+ op2.o_callback = &cb;
+ op2.orm_modlist = mod;
+ op2.orm_no_opattrs = 0;
+ op2.o_dn = op->o_bd->be_rootdn;
+ op2.o_ndn = op->o_bd->be_rootndn;
+
+ /*
+ * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
+ *
+ * If this server is a shadow and forward_updates is true,
+ * use the frontend to perform this modify. That will trigger
+ * the update referral, which can then be forwarded by the
+ * chain overlay. Obviously the updateref and chain overlay
+ * must be configured appropriately for this to be useful.
+ */
+ if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) {
+ op2.o_bd = frontendDB;
+
+ /* Must use Relax control since these are no-user-mod */
+ op2.o_relax = SLAP_CONTROL_CRITICAL;
+ op2.o_ctrls = ca;
+ ca[0] = &c;
+ ca[1] = NULL;
+ BER_BVZERO( &c.ldctl_value );
+ c.ldctl_iscritical = 1;
+ c.ldctl_oid = LDAP_CONTROL_RELAX;
+ } else {
+ /* If not forwarding, don't update opattrs and don't replicate */
+ if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
+ op2.orm_no_opattrs = 1;
+ op2.o_dont_replicate = 1;
+ }
+ /* TODO: not sure what this does in slapo-ppolicy */
+ /*
+ op2.o_bd->bd_info = (BackendInfo *)on->on_info;
+ */
+ }
+
+ rc = op2.o_bd->be_modify( &op2, &r2 );
+ slap_mods_free( mod, 1 );
+ }
+
+ op->o_bd->bd_info = bi;
+ return SLAP_CB_CONTINUE;
+}
+
+static int
+lastbind_bind( Operation *op, SlapReply *rs )
+{
+ slap_callback *cb;
+ slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+
+ /* setup a callback to intercept result of this bind operation
+ * and pass along the lastbind_info struct */
+ cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
+ cb->sc_response = lastbind_bind_response;
+ cb->sc_next = op->o_callback->sc_next;
+ cb->sc_private = on->on_bi.bi_private;
+ op->o_callback->sc_next = cb;
+
+ return SLAP_CB_CONTINUE;
+}
+
+static int
+lastbind_db_init(
+ BackendDB *be,
+ ConfigReply *cr
+)
+{
+ slap_overinst *on = (slap_overinst *) be->bd_info;
+
+ /* initialize private structure to store configuration */
+ on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
+
+ return 0;
+}
+
+static int
+lastbind_db_close(
+ BackendDB *be,
+ ConfigReply *cr
+)
+{
+ slap_overinst *on = (slap_overinst *) be->bd_info;
+ lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
+
+ /* free private structure to store configuration */
+ free( lbi );
+
+ return 0;
+}
+
+static slap_overinst lastbind;
+
+int lastbind_initialize()
+{
+ int i, code;
+
+ /* register operational schema for this overlay (authTimestamp attribute) */
+ for (i=0; lastBind_OpSchema[i].def; i++) {
+ code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
+ if ( code ) {
+ Debug( LDAP_DEBUG_ANY,
+ "lastbind_initialize: register_at failed\n" );
+ return code;
+ }
+ }
+
+ ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
+
+ lastbind.on_bi.bi_type = "lastbind";
+ lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
+ lastbind.on_bi.bi_db_init = lastbind_db_init;
+ lastbind.on_bi.bi_db_close = lastbind_db_close;
+ lastbind.on_bi.bi_op_bind = lastbind_bind;
+
+ /* register configuration directives */
+ lastbind.on_bi.bi_cf_ocs = lastbindocs;
+ code = config_register_schema( lastbindcfg, lastbindocs );
+ if ( code ) return code;
+
+ return overlay_register( &lastbind );
+}
+
+#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
+int init_module(int argc, char *argv[]) {
+ return lastbind_initialize();
+}
+#endif
+
+#endif /* defined(SLAPD_OVER_LASTBIND) */