diff options
Diffstat (limited to 'server/providers/ldap/sdap.c')
-rw-r--r-- | server/providers/ldap/sdap.c | 388 |
1 files changed, 0 insertions, 388 deletions
diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c deleted file mode 100644 index 39c67cc9..00000000 --- a/server/providers/ldap/sdap.c +++ /dev/null @@ -1,388 +0,0 @@ -/* - SSSD - - LDAP Helper routines - - Copyright (C) Simo Sorce <ssorce@redhat.com> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#define LDAP_DEPRECATED 1 -#include "util/util.h" -#include "confdb/confdb.h" -#include "providers/ldap/sdap.h" - -/* =Retrieve-Options====================================================== */ - -int sdap_get_map(TALLOC_CTX *memctx, - struct confdb_ctx *cdb, - const char *conf_path, - struct sdap_attr_map *def_map, - int num_entries, - struct sdap_attr_map **_map) -{ - struct sdap_attr_map *map; - int i, ret; - - map = talloc_array(memctx, struct sdap_attr_map, num_entries); - if (!map) { - return ENOMEM; - } - - for (i = 0; i < num_entries; i++) { - - map[i].opt_name = def_map[i].opt_name; - map[i].def_name = def_map[i].def_name; - map[i].sys_name = def_map[i].sys_name; - - ret = confdb_get_string(cdb, map, conf_path, - map[i].opt_name, - map[i].def_name, - &map[i].name); - if ((ret != EOK) || (map[i].def_name && !map[i].name)) { - DEBUG(0, ("Failed to retrieve value for %s\n", map[i].opt_name)); - if (ret != EOK) { - talloc_zfree(map); - return EINVAL; - } - } - - DEBUG(5, ("Option %s has value %s\n", map[i].opt_name, map[i].name)); - } - - *_map = map; - return EOK; -} - -/* =Parse-msg============================================================= */ - -int sdap_parse_entry(TALLOC_CTX *memctx, - struct sdap_handle *sh, struct sdap_msg *sm, - struct sdap_attr_map *map, int attrs_num, - struct sysdb_attrs **_attrs, char **_dn) -{ - struct sysdb_attrs *attrs; - BerElement *ber = NULL; - struct berval **vals; - struct ldb_val v; - char *str; - int lerrno; - int a, i, ret; - const char *name; - bool store; - - lerrno = 0; - ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - - attrs = sysdb_new_attrs(memctx); - if (!attrs) return ENOMEM; - - str = ldap_get_dn(sh->ldap, sm->msg); - if (!str) { - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - DEBUG(1, ("ldap_get_dn failed: %d(%s)\n", - lerrno, ldap_err2string(lerrno))); - ret = EIO; - goto fail; - } - - DEBUG(9, ("OriginalDN: [%s].\n", str)); - ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str); - if (ret) goto fail; - if (_dn) { - *_dn = talloc_strdup(memctx, str); - if (!*_dn) { - ret = ENOMEM; - ldap_memfree(str); - goto fail; - } - } - ldap_memfree(str); - - if (map) { - vals = ldap_get_values_len(sh->ldap, sm->msg, "objectClass"); - if (!vals) { - DEBUG(1, ("Unknown entry type, no objectClasses found!\n")); - ret = EINVAL; - goto fail; - } - - for (i = 0; vals[i]; i++) { - /* the objectclass is always the first name in the map */ - if (strncasecmp(map[0].name, - vals[i]->bv_val, vals[i]->bv_len) == 0) { - /* ok it's an entry of the right type */ - break; - } - } - if (!vals[i]) { - DEBUG(1, ("objectClass not matching: %s\n", - map[0].name)); - ldap_value_free_len(vals); - ret = EINVAL; - goto fail; - } - ldap_value_free_len(vals); - } - - str = ldap_first_attribute(sh->ldap, sm->msg, &ber); - if (!str) { - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - DEBUG(1, ("Entry has no attributes [%d(%s)]!?\n", - lerrno, ldap_err2string(lerrno))); - if (map) { - ret = EINVAL; - goto fail; - } - } - while (str) { - if (map) { - for (a = 1; a < attrs_num; a++) { - /* check if this attr is valid with the chosen schema */ - if (!map[a].name) continue; - /* check if it is an attr we are interested in */ - if (strcasecmp(str, map[a].name) == 0) break; - } - /* interesting attr */ - if (a < attrs_num) { - store = true; - name = map[a].sys_name; - } else { - store = false; - } - } else { - name = str; - store = true; - } - - if (store) { - vals = ldap_get_values_len(sh->ldap, sm->msg, str); - if (!vals) { - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - DEBUG(1, ("LDAP Library error: %d(%s)", - lerrno, ldap_err2string(lerrno))); - ret = EIO; - goto fail; - } - if (!vals[0]) { - DEBUG(1, ("Missing value after ldap_get_values() ??\n")); - ret = EINVAL; - goto fail; - } - for (i = 0; vals[i]; i++) { - v.data = (uint8_t *)vals[i]->bv_val; - v.length = vals[i]->bv_len; - - ret = sysdb_attrs_add_val(attrs, name, &v); - if (ret) goto fail; - } - ldap_value_free_len(vals); - } - - ldap_memfree(str); - str = ldap_next_attribute(sh->ldap, sm->msg, ber); - } - ber_free(ber, 0); - - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - if (lerrno) { - DEBUG(1, ("LDAP Library error: %d(%s)", - lerrno, ldap_err2string(lerrno))); - ret = EIO; - goto fail; - } - - *_attrs = attrs; - return EOK; - -fail: - if (ber) ber_free(ber, 0); - talloc_free(attrs); - return ret; -} - -/* This function converts an ldap message into a sysdb_attrs structure. - * It converts only known user attributes, the rest are ignored. - * If the entry is not that of an user an error is returned. - * The original DN is stored as an attribute named originalDN */ - -int sdap_parse_user(TALLOC_CTX *memctx, struct sdap_options *opts, - struct sdap_handle *sh, struct sdap_msg *sm, - struct sysdb_attrs **_attrs, char **_dn) -{ - - return sdap_parse_entry(memctx, sh, sm, opts->user_map, - SDAP_OPTS_USER, _attrs, _dn); -} - -/* This function converts an ldap message into a sysdb_attrs structure. - * It converts only known group attributes, the rest are ignored. - * If the entry is not that of an user an error is returned. - * The original DN is stored as an attribute named originalDN */ - -int sdap_parse_group(TALLOC_CTX *memctx, struct sdap_options *opts, - struct sdap_handle *sh, struct sdap_msg *sm, - struct sysdb_attrs **_attrs, char **_dn) -{ - - return sdap_parse_entry(memctx, sh, sm, opts->group_map, - SDAP_OPTS_GROUP, _attrs, _dn); -} - -/* =Get-DN-from-message=================================================== */ - -int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh, - struct sdap_msg *sm, char **_dn) -{ - char *str; - int lerrno; - - lerrno = 0; - ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - - str = ldap_get_dn(sh->ldap, sm->msg); - if (!str) { - ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); - DEBUG(1, ("ldap_get_dn failed: %d(%s)\n", - lerrno, ldap_err2string(lerrno))); - return EIO; - } - - *_dn = talloc_strdup(memctx, str); - ldap_memfree(str); - if (!*_dn) return ENOMEM; - - return EOK; -} - -errno_t setup_tls_config(struct dp_option *basic_opts) -{ - int ret; - int ldap_opt_x_tls_require_cert; - const char *tls_opt; - tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_REQCERT); - if (tls_opt) { - if (strcasecmp(tls_opt, "never") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; - } - else if (strcasecmp(tls_opt, "allow") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; - } - else if (strcasecmp(tls_opt, "try") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; - } - else if (strcasecmp(tls_opt, "demand") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; - } - else if (strcasecmp(tls_opt, "hard") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; - } - else { - DEBUG(1, ("Unknown value for tls_reqcert.\n")); - return EINVAL; - } - /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, - * because the SSL/TLS context is initialized from this value. */ - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, - &ldap_opt_x_tls_require_cert); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); - return EIO; - } - } - - tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CACERT); - if (tls_opt) { - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); - return EIO; - } - } - - tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CACERTDIR); - if (tls_opt) { - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); - return EIO; - } - } - - return EOK; -} - - -bool sdap_rootdse_sasl_mech_is_supported(struct sysdb_attrs *rootdse, - const char *sasl_mech) -{ - struct ldb_message_element *el = NULL; - struct ldb_val *val; - int i; - - if (!sasl_mech) return false; - - for (i = 0; i < rootdse->num; i++) { - if (strcasecmp(rootdse->a[i].name, "supportedSASLMechanisms")) { - continue; - } - el = &rootdse->a[i]; - break; - } - - if (!el) { - /* no supported SASL Mechanism at all ? */ - return false; - } - - for (i = 0; i < el->num_values; i++) { - val = &el->values[i]; - if (strncasecmp(sasl_mech, (const char *)val->data, val->length)) { - continue; - } - return true; - } - - return false; -} - -int build_attrs_from_map(TALLOC_CTX *memctx, - struct sdap_attr_map *map, - size_t size, const char ***_attrs) -{ - char **attrs; - int i, j; - - attrs = talloc_array(memctx, char *, size + 1); - if (!attrs) return ENOMEM; - - /* first attribute is "objectclass" not the specifc one */ - attrs[0] = talloc_strdup(memctx, "objectClass"); - if (!attrs[0]) return ENOMEM; - - /* add the others */ - for (i = j = 1; i < size; i++) { - if (map[i].name) { - attrs[j] = map[i].name; - j++; - } - } - attrs[j] = NULL; - - *_attrs = (const char **)attrs; - - return EOK; -} - |