17 buffer
*auth_ldap_hostname
;
18 buffer
*auth_ldap_basedn
;
19 buffer
*auth_ldap_binddn
;
20 buffer
*auth_ldap_bindpw
;
21 buffer
*auth_ldap_filter
;
22 buffer
*auth_ldap_cafile
;
23 buffer
*auth_ldap_groupmember
;
24 unsigned short auth_ldap_starttls
;
25 unsigned short auth_ldap_allow_empty_pw
;
30 plugin_config
**config_storage
;
31 plugin_config conf
, *anon_conf
; /* this is only used as long as no handler_ctx is setup */
36 static handler_t
mod_authn_ldap_basic(server
*srv
, connection
*con
, void *p_d
, const http_auth_require_t
*require
, const buffer
*username
, const char *pw
);
38 INIT_FUNC(mod_authn_ldap_init
) {
39 static http_auth_backend_t http_auth_backend_ldap
=
40 { "ldap", mod_authn_ldap_basic
, NULL
, NULL
};
41 plugin_data
*p
= calloc(1, sizeof(*p
));
42 p
->ldap_filter
= buffer_init();
44 /* register http_auth_backend_ldap */
45 http_auth_backend_ldap
.p_d
= p
;
46 http_auth_backend_set(&http_auth_backend_ldap
);
51 FREE_FUNC(mod_authn_ldap_free
) {
56 if (!p
) return HANDLER_GO_ON
;
58 buffer_free(p
->ldap_filter
);
60 if (p
->config_storage
) {
62 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
63 plugin_config
*s
= p
->config_storage
[i
];
65 if (NULL
== s
) continue;
67 buffer_free(s
->auth_ldap_hostname
);
68 buffer_free(s
->auth_ldap_basedn
);
69 buffer_free(s
->auth_ldap_binddn
);
70 buffer_free(s
->auth_ldap_bindpw
);
71 buffer_free(s
->auth_ldap_filter
);
72 buffer_free(s
->auth_ldap_cafile
);
73 buffer_free(s
->auth_ldap_groupmember
);
75 if (NULL
!= s
->ldap
) ldap_unbind_ext_s(s
->ldap
, NULL
, NULL
);
78 free(p
->config_storage
);
86 SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults
) {
89 config_values_t cv
[] = {
90 { "auth.backend.ldap.hostname", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 0 */
91 { "auth.backend.ldap.base-dn", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 1 */
92 { "auth.backend.ldap.filter", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 2 */
93 { "auth.backend.ldap.ca-file", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 3 */
94 { "auth.backend.ldap.starttls", NULL
, T_CONFIG_BOOLEAN
, T_CONFIG_SCOPE_CONNECTION
}, /* 4 */
95 { "auth.backend.ldap.bind-dn", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 5 */
96 { "auth.backend.ldap.bind-pw", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 6 */
97 { "auth.backend.ldap.allow-empty-pw", NULL
, T_CONFIG_BOOLEAN
, T_CONFIG_SCOPE_CONNECTION
}, /* 7 */
98 { "auth.backend.ldap.groupmember", NULL
, T_CONFIG_STRING
, T_CONFIG_SCOPE_CONNECTION
}, /* 8 */
99 { NULL
, NULL
, T_CONFIG_UNSET
, T_CONFIG_SCOPE_UNSET
}
102 p
->config_storage
= calloc(1, srv
->config_context
->used
* sizeof(plugin_config
*));
104 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
105 data_config
const* config
= (data_config
const*)srv
->config_context
->data
[i
];
108 s
= calloc(1, sizeof(plugin_config
));
110 s
->auth_ldap_hostname
= buffer_init();
111 s
->auth_ldap_basedn
= buffer_init();
112 s
->auth_ldap_binddn
= buffer_init();
113 s
->auth_ldap_bindpw
= buffer_init();
114 s
->auth_ldap_filter
= buffer_init();
115 s
->auth_ldap_cafile
= buffer_init();
116 s
->auth_ldap_groupmember
= buffer_init_string("memberUid");
117 s
->auth_ldap_starttls
= 0;
120 cv
[0].destination
= s
->auth_ldap_hostname
;
121 cv
[1].destination
= s
->auth_ldap_basedn
;
122 cv
[2].destination
= s
->auth_ldap_filter
;
123 cv
[3].destination
= s
->auth_ldap_cafile
;
124 cv
[4].destination
= &(s
->auth_ldap_starttls
);
125 cv
[5].destination
= s
->auth_ldap_binddn
;
126 cv
[6].destination
= s
->auth_ldap_bindpw
;
127 cv
[7].destination
= &(s
->auth_ldap_allow_empty_pw
);
128 cv
[8].destination
= s
->auth_ldap_groupmember
;
130 p
->config_storage
[i
] = s
;
132 if (0 != config_insert_values_global(srv
, config
->value
, cv
, i
== 0 ? T_CONFIG_SCOPE_SERVER
: T_CONFIG_SCOPE_CONNECTION
)) {
133 return HANDLER_ERROR
;
136 if (!buffer_string_is_empty(s
->auth_ldap_filter
)) {
137 if (*s
->auth_ldap_filter
->ptr
!= ',') {
138 /*(translate '$' to '?' for consistency with other modules)*/
139 char *d
= s
->auth_ldap_filter
->ptr
;
140 for (; NULL
!= (d
= strchr(d
, '$')); ++d
) *d
= '?';
141 if (NULL
== strchr(s
->auth_ldap_filter
->ptr
, '?')) {
142 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '?'");
143 return HANDLER_ERROR
;
149 return HANDLER_GO_ON
;
154 static int mod_authn_ldap_patch_connection(server
*srv
, connection
*con
, plugin_data
*p
) {
156 plugin_config
*s
= p
->config_storage
[0];
158 PATCH(auth_ldap_hostname
);
159 PATCH(auth_ldap_basedn
);
160 PATCH(auth_ldap_binddn
);
161 PATCH(auth_ldap_bindpw
);
162 PATCH(auth_ldap_filter
);
163 PATCH(auth_ldap_cafile
);
164 PATCH(auth_ldap_starttls
);
165 PATCH(auth_ldap_allow_empty_pw
);
166 PATCH(auth_ldap_groupmember
);
169 /* skip the first, the global context */
170 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
171 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
172 s
= p
->config_storage
[i
];
174 /* condition didn't match */
175 if (!config_check_cond(srv
, con
, dc
)) continue;
178 for (j
= 0; j
< dc
->value
->used
; j
++) {
179 data_unset
*du
= dc
->value
->data
[j
];
181 if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
182 PATCH(auth_ldap_hostname
);
184 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
185 PATCH(auth_ldap_basedn
);
186 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.filter"))) {
187 PATCH(auth_ldap_filter
);
188 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
189 PATCH(auth_ldap_cafile
);
190 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
191 PATCH(auth_ldap_starttls
);
192 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.bind-dn"))) {
193 PATCH(auth_ldap_binddn
);
194 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.bind-pw"))) {
195 PATCH(auth_ldap_bindpw
);
196 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
197 PATCH(auth_ldap_allow_empty_pw
);
198 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("auth.backend.ldap.groupmember"))) {
199 PATCH(auth_ldap_groupmember
);
208 static void mod_authn_ldap_err(server
*srv
, const char *file
, unsigned long line
, const char *fn
, int err
)
210 log_error_write(srv
,file
,line
,"sSss","ldap:",fn
,":",ldap_err2string(err
));
213 static void mod_authn_ldap_opt_err(server
*srv
, const char *file
, unsigned long line
, const char *fn
, LDAP
*ld
)
216 ldap_get_option(ld
, LDAP_OPT_ERROR_NUMBER
, &err
);
217 mod_authn_ldap_err(srv
, file
, line
, fn
, err
);
220 static void mod_authn_append_ldap_dn_escape(buffer
* const filter
, const buffer
* const raw
) {
221 /* [RFC4514] 2.4 Converting an AttributeValue from ASN.1 to a String
223 * https://www.ldap.com/ldap-dns-and-rdns
224 * http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
226 const char * const b
= raw
->ptr
;
227 const size_t rlen
= buffer_string_length(raw
);
228 if (0 == rlen
) return;
230 if (b
[0] == ' ') { /* || b[0] == '#' handled below for MS Active Directory*/
231 /* escape leading ' ' */
232 buffer_append_string_len(filter
, CONST_STR_LEN("\\"));
235 for (size_t i
= 0; i
< rlen
; ++i
) {
239 /* encode all UTF-8 chars with high bit set
240 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
241 if (((unsigned char *)b
)[len
] > 0x7f)
246 case '"': case '+': case ',': case ';': case '\\':
248 case '=': case '#': /* (for MS Active Directory) */
255 } while (++len
< rlen
);
259 buffer_append_string_len(filter
, b
+i
, len
);
260 if ((i
+= len
) == rlen
) break;
264 buffer_append_string_len(filter
, CONST_STR_LEN("\\"));
265 buffer_append_string_len(filter
, b
+i
, 1);
268 /* escape NUL ('\0') (and all UTF-8 chars with high bit set) */
270 buffer_string_prepare_append(filter
, 3);
271 f
= filter
->ptr
+ buffer_string_length(filter
);
273 f
[1] = "0123456789abcdef"[(((unsigned char *)b
)[i
] >> 4) & 0xf];
274 f
[2] = "0123456789abcdef"[(((unsigned char *)b
)[i
] ) & 0xf];
275 buffer_commit(filter
, 3);
279 if (rlen
> 1 && b
[rlen
-1] == ' ') {
280 /* escape trailing ' ' */
281 filter
->ptr
[buffer_string_length(filter
)-1] = '\\';
282 buffer_append_string_len(filter
, CONST_STR_LEN(" "));
286 static void mod_authn_append_ldap_filter_escape(buffer
* const filter
, const buffer
* const raw
) {
287 /* [RFC4515] 3. String Search Filter Definition
291 * The <valueencoding> rule ensures that the entire filter string is a
292 * valid UTF-8 string and provides that the octets that represent the
293 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
294 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
295 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
296 * representing the value of the encoded octet.
300 * As indicated by the <valueencoding> rule, implementations MUST escape
301 * all octets greater than 0x7F that are not part of a valid UTF-8
302 * encoding sequence when they generate a string representation of a
303 * search filter. Implementations SHOULD accept as input strings that
304 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
305 * not clearly define the term "string representation" (and in
306 * particular did not mention that the string representation of an LDAP
307 * search filter is a string of UTF-8-encoded Unicode characters).
310 * https://www.ldap.com/ldap-filters
311 * Although not required, you may escape any other characters that you want
312 * in the assertion value (or substring component) of a filter. This may be
313 * accomplished by prefixing the hexadecimal representation of each byte of
314 * the UTF-8 encoding of the character to escape with a backslash character.
316 const char * const b
= raw
->ptr
;
317 const size_t rlen
= buffer_string_length(raw
);
318 for (size_t i
= 0; i
< rlen
; ++i
) {
322 /* encode all UTF-8 chars with high bit set
323 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
324 if (((unsigned char *)b
)[len
] > 0x7f)
329 case '\0': case '(': case ')': case '*': case '\\':
333 } while (++len
< rlen
);
337 buffer_append_string_len(filter
, b
+i
, len
);
338 if ((i
+= len
) == rlen
) break;
341 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
342 buffer_string_prepare_append(filter
, 3);
343 f
= filter
->ptr
+ buffer_string_length(filter
);
345 f
[1] = "0123456789abcdef"[(((unsigned char *)b
)[i
] >> 4) & 0xf];
346 f
[2] = "0123456789abcdef"[(((unsigned char *)b
)[i
] ) & 0xf];
347 buffer_commit(filter
, 3);
351 static LDAP
* mod_authn_ldap_host_init(server
*srv
, plugin_config
*s
) {
355 if (buffer_string_is_empty(s
->auth_ldap_hostname
)) return NULL
;
357 ld
= ldap_init(s
->auth_ldap_hostname
->ptr
, LDAP_PORT
);
359 log_error_write(srv
, __FILE__
, __LINE__
, "sss", "ldap:", "ldap_init():",
365 ret
= ldap_set_option(ld
, LDAP_OPT_PROTOCOL_VERSION
, &ret
);
366 if (LDAP_OPT_SUCCESS
!= ret
) {
367 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_set_options()", ret
);
372 if (s
->auth_ldap_starttls
) {
373 /* if no CA file is given, it is ok, as we will use encryption
374 * if the server requires a CAfile it will tell us */
375 if (!buffer_string_is_empty(s
->auth_ldap_cafile
)) {
376 ret
= ldap_set_option(NULL
, LDAP_OPT_X_TLS_CACERTFILE
,
377 s
->auth_ldap_cafile
->ptr
);
378 if (LDAP_OPT_SUCCESS
!= ret
) {
379 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
,
380 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
387 ret
= ldap_start_tls_s(ld
, NULL
, NULL
);
388 if (LDAP_OPT_SUCCESS
!= ret
) {
389 mod_authn_ldap_err(srv
,__FILE__
,__LINE__
,"ldap_start_tls_s()",ret
);
398 static int mod_authn_ldap_bind(server
*srv
, LDAP
*ld
, const char *dn
, const char *pw
) {
404 *((const char **)&creds
.bv_val
) = pw
; /*(cast away const)*/
405 creds
.bv_len
= strlen(pw
);
411 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
413 ret
= ldap_sasl_bind_s(ld
,dn
,LDAP_SASL_SIMPLE
,&creds
,NULL
,NULL
,NULL
);
414 if (ret
!= LDAP_SUCCESS
) {
415 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_sasl_bind_s()", ret
);
418 int ret
= ldap_simple_bind_s(ld
, dn
, pw
);
419 if (ret
!= LDAP_SUCCESS
) {
420 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_simple_bind_s()",ret
);
427 static LDAPMessage
* mod_authn_ldap_search(server
*srv
, plugin_config
*s
, char *base
, char *filter
) {
428 LDAPMessage
*lm
= NULL
;
429 char *attrs
[] = { LDAP_NO_ATTRS
, NULL
};
433 * 1. connect anonymously (if not already connected)
434 * (ldap connection is kept open unless connection-level error occurs)
435 * 2. issue search using filter
438 if (s
->ldap
!= NULL
) {
439 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
440 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
441 if (LDAP_SUCCESS
== ret
) {
443 } else if (LDAP_SERVER_DOWN
!= ret
) {
444 /* try again (or initial request);
445 * ldap lib sometimes fails for the first call but reconnects */
446 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
447 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
448 if (LDAP_SUCCESS
== ret
) {
453 ldap_unbind_ext_s(s
->ldap
, NULL
, NULL
);
456 s
->ldap
= mod_authn_ldap_host_init(srv
, s
);
457 if (NULL
== s
->ldap
) {
461 ret
= !buffer_string_is_empty(s
->auth_ldap_binddn
)
462 ? mod_authn_ldap_bind(srv
, s
->ldap
,
463 s
->auth_ldap_binddn
->ptr
,
464 s
->auth_ldap_bindpw
->ptr
)
465 : mod_authn_ldap_bind(srv
, s
->ldap
, NULL
, NULL
);
466 if (LDAP_SUCCESS
!= ret
) {
467 ldap_memfree(s
->ldap
);
472 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
473 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
474 if (LDAP_SUCCESS
!= ret
) {
475 log_error_write(srv
, __FILE__
, __LINE__
, "sSss",
476 "ldap:", ldap_err2string(ret
), "; filter:", filter
);
477 ldap_unbind_ext_s(s
->ldap
, NULL
, NULL
);
485 static char * mod_authn_ldap_get_dn(server
*srv
, plugin_config
*s
, char *base
, char *filter
) {
487 LDAPMessage
*lm
, *first
;
491 lm
= mod_authn_ldap_search(srv
, s
, base
, filter
);
496 ld
= s
->ldap
; /*(must be after mod_authn_ldap_search(); might reconnect)*/
498 count
= ldap_count_entries(ld
, lm
);
499 if (0 == count
) { /*(no entires found)*/
502 } else if (count
> 1) {
503 log_error_write(srv
, __FILE__
, __LINE__
, "sss",
504 "ldap:", "more than one record returned. "
505 "you might have to refine the filter:", filter
);
508 if (NULL
== (first
= ldap_first_entry(ld
, lm
))) {
509 mod_authn_ldap_opt_err(srv
,__FILE__
,__LINE__
,"ldap_first_entry()",ld
);
514 if (NULL
== (dn
= ldap_get_dn(ld
, first
))) {
515 mod_authn_ldap_opt_err(srv
,__FILE__
,__LINE__
,"ldap_get_dn()",ld
);
524 static handler_t
mod_authn_ldap_memberOf(server
*srv
, plugin_config
*s
, const http_auth_require_t
*require
, const buffer
*username
, const char *userdn
) {
525 array
*groups
= require
->group
;
526 buffer
*filter
= buffer_init();
527 handler_t rc
= HANDLER_ERROR
;
529 buffer_copy_string_len(filter
, CONST_STR_LEN("("));
530 buffer_append_string_buffer(filter
, s
->auth_ldap_groupmember
);
531 buffer_append_string_len(filter
, CONST_STR_LEN("="));
532 if (buffer_is_equal_string(s
->auth_ldap_groupmember
,
533 CONST_STR_LEN("member"))) {
534 buffer_append_string(filter
, userdn
);
535 } else { /*(assume "memberUid"; consider validating in SETDEFAULTS_FUNC)*/
536 mod_authn_append_ldap_filter_escape(filter
, username
);
538 buffer_append_string_len(filter
, CONST_STR_LEN(")"));
540 for (size_t i
= 0; i
< groups
->used
; ++i
) {
541 char *base
= groups
->data
[i
]->key
->ptr
;
542 LDAPMessage
*lm
= mod_authn_ldap_search(srv
, s
, base
, filter
->ptr
);
544 int count
= ldap_count_entries(s
->ldap
, lm
);
557 static handler_t
mod_authn_ldap_basic(server
*srv
, connection
*con
, void *p_d
, const http_auth_require_t
*require
, const buffer
*username
, const char *pw
) {
558 plugin_data
*p
= (plugin_data
*)p_d
;
564 mod_authn_ldap_patch_connection(srv
, con
, p
);
566 if (pw
[0] == '\0' && !p
->conf
.auth_ldap_allow_empty_pw
)
567 return HANDLER_ERROR
;
569 template = p
->conf
.auth_ldap_filter
;
570 if (buffer_string_is_empty(template)) {
571 return HANDLER_ERROR
;
574 /* build filter to get DN for uid = username */
575 buffer_string_set_length(p
->ldap_filter
, 0);
576 if (*template->ptr
== ',') {
577 /* special-case filter template beginning with ',' to be explicit DN */
578 buffer_append_string_len(p
->ldap_filter
, CONST_STR_LEN("uid="));
579 mod_authn_append_ldap_dn_escape(p
->ldap_filter
, username
);
580 buffer_append_string_buffer(p
->ldap_filter
, template);
581 dn
= p
->ldap_filter
->ptr
;
583 for (char *b
= template->ptr
, *d
; *b
; b
= d
+1) {
584 if (NULL
!= (d
= strchr(b
, '?'))) {
585 buffer_append_string_len(p
->ldap_filter
, b
, (size_t)(d
- b
));
586 mod_authn_append_ldap_filter_escape(p
->ldap_filter
, username
);
588 d
= template->ptr
+ buffer_string_length(template);
589 buffer_append_string_len(p
->ldap_filter
, b
, (size_t)(d
- b
));
594 /* ldap_search for DN (synchronous; blocking) */
595 dn
= mod_authn_ldap_get_dn(srv
, p
->anon_conf
,
596 p
->conf
.auth_ldap_basedn
->ptr
,
597 p
->ldap_filter
->ptr
);
599 return HANDLER_ERROR
;
603 /* auth against LDAP server (synchronous; blocking) */
605 ld
= mod_authn_ldap_host_init(srv
, &p
->conf
);
607 if (dn
!= p
->ldap_filter
->ptr
) ldap_memfree(dn
);
608 return HANDLER_ERROR
;
611 if (LDAP_SUCCESS
!= mod_authn_ldap_bind(srv
, ld
, dn
, pw
)) {
613 if (dn
!= p
->ldap_filter
->ptr
) ldap_memfree(dn
);
614 return HANDLER_ERROR
;
617 ldap_unbind_ext_s(ld
, NULL
, NULL
); /* disconnect */
619 if (http_auth_match_rules(require
, username
->ptr
, NULL
, NULL
)) {
620 rc
= HANDLER_GO_ON
; /* access granted */
623 if (require
->group
->used
) {
624 /*(must not re-use p->ldap_filter, since it might be used for dn)*/
625 rc
= mod_authn_ldap_memberOf(srv
, &p
->conf
, require
, username
, dn
);
629 if (dn
!= p
->ldap_filter
->ptr
) ldap_memfree(dn
);
633 int mod_authn_ldap_plugin_init(plugin
*p
);
634 int mod_authn_ldap_plugin_init(plugin
*p
) {
635 p
->version
= LIGHTTPD_VERSION_ID
;
636 p
->name
= buffer_init_string("authn_ldap");
637 p
->init
= mod_authn_ldap_init
;
638 p
->set_defaults
= mod_authn_ldap_set_defaults
;
639 p
->cleanup
= mod_authn_ldap_free
;