10 #include "http_vhostdb.h"
15 * virtual host plugin using LDAP for domain to directory lookups
28 unsigned short starttls
;
38 plugin_config
**config_storage
;
42 static void mod_vhostdb_dbconf_free (void *vdata
)
44 vhostdb_config
*dbconf
= (vhostdb_config
*)vdata
;
46 if (NULL
!= dbconf
->ldap
) ldap_unbind_ext_s(dbconf
->ldap
, NULL
, NULL
);
50 static int mod_vhostdb_dbconf_setup (server
*srv
, array
*opts
, void **vdata
)
52 buffer
*filter
= NULL
;
53 const char *attr
= "documentRoot";
54 const char *basedn
=NULL
,*binddn
=NULL
,*bindpw
=NULL
,*host
=NULL
,*cafile
=NULL
;
55 unsigned short starttls
= 0;
57 for (size_t i
= 0; i
< opts
->used
; ++i
) {
58 const data_string
*ds
= (data_string
*)opts
->data
[i
];
59 if (ds
->type
== TYPE_STRING
) {
60 if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("filter"))) {
62 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("attr"))) {
63 if (!buffer_string_is_empty(ds
->value
)) attr
= ds
->value
->ptr
;
64 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("host"))) {
65 host
= ds
->value
->ptr
;
66 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("base-dn"))) {
67 if (!buffer_string_is_empty(ds
->value
)) basedn
= ds
->value
->ptr
;
68 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("bind-dn"))) {
69 if (!buffer_string_is_empty(ds
->value
)) binddn
= ds
->value
->ptr
;
70 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("bind-pw"))) {
71 bindpw
= ds
->value
->ptr
;
72 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("ca-file"))) {
73 if (!buffer_string_is_empty(ds
->value
)) cafile
= ds
->value
->ptr
;
74 } else if (buffer_is_equal_caseless_string(ds
->key
, CONST_STR_LEN("starttls"))) {
75 starttls
= !buffer_is_equal_string(ds
->value
, CONST_STR_LEN("disable"))
76 && !buffer_is_equal_string(ds
->value
, CONST_STR_LEN("0"));
83 * - filter (LDAP query)
87 * - attr (LDAP attribute with docroot; default "documentRoot")
94 if (!buffer_string_is_empty(filter
) && NULL
!= host
&& NULL
!= basedn
) {
95 vhostdb_config
*dbconf
;
97 if (NULL
== strchr(filter
->ptr
, '?')) {
98 log_error_write(srv
, __FILE__
, __LINE__
, "s",
99 "ldap: filter is missing a replace-operator '?'");
103 /* openldap sets FD_CLOEXEC on database socket descriptors
104 * (still race between creation of socket and fcntl FD_CLOEXEC)
105 * (YMMV with other LDAP client libraries) */
107 dbconf
= (vhostdb_config
*)calloc(1, sizeof(*dbconf
));
109 dbconf
->filter
= filter
;
112 dbconf
->basedn
= basedn
;
113 dbconf
->binddn
= binddn
;
114 dbconf
->bindpw
= bindpw
;
115 dbconf
->cafile
= cafile
;
116 dbconf
->starttls
= starttls
;
123 * Note: a large portion of the LDAP code is copied verbatim from mod_authn_ldap
124 * with only changes being use of vhostdb_config instead of plugin_config struct
125 * and (const char *) strings in vhostdb_config instead of (buffer *).
128 static void mod_authn_ldap_err(server
*srv
, const char *file
, unsigned long line
, const char *fn
, int err
)
130 log_error_write(srv
,file
,line
,"sSss","ldap:",fn
,":",ldap_err2string(err
));
133 static void mod_authn_ldap_opt_err(server
*srv
, const char *file
, unsigned long line
, const char *fn
, LDAP
*ld
)
136 ldap_get_option(ld
, LDAP_OPT_ERROR_NUMBER
, &err
);
137 mod_authn_ldap_err(srv
, file
, line
, fn
, err
);
140 static void mod_authn_append_ldap_filter_escape(buffer
* const filter
, const buffer
* const raw
) {
141 /* [RFC4515] 3. String Search Filter Definition
145 * The <valueencoding> rule ensures that the entire filter string is a
146 * valid UTF-8 string and provides that the octets that represent the
147 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
148 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
149 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
150 * representing the value of the encoded octet.
154 * As indicated by the <valueencoding> rule, implementations MUST escape
155 * all octets greater than 0x7F that are not part of a valid UTF-8
156 * encoding sequence when they generate a string representation of a
157 * search filter. Implementations SHOULD accept as input strings that
158 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
159 * not clearly define the term "string representation" (and in
160 * particular did not mention that the string representation of an LDAP
161 * search filter is a string of UTF-8-encoded Unicode characters).
164 * https://www.ldap.com/ldap-filters
165 * Although not required, you may escape any other characters that you want
166 * in the assertion value (or substring component) of a filter. This may be
167 * accomplished by prefixing the hexadecimal representation of each byte of
168 * the UTF-8 encoding of the character to escape with a backslash character.
170 const char * const b
= raw
->ptr
;
171 const size_t rlen
= buffer_string_length(raw
);
172 for (size_t i
= 0; i
< rlen
; ++i
) {
176 /* encode all UTF-8 chars with high bit set
177 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
178 if (((unsigned char *)b
)[len
] > 0x7f)
183 case '\0': case '(': case ')': case '*': case '\\':
187 } while (++len
< rlen
);
191 buffer_append_string_len(filter
, b
+i
, len
);
192 if ((i
+= len
) == rlen
) break;
195 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
196 buffer_string_prepare_append(filter
, 3);
197 f
= filter
->ptr
+ buffer_string_length(filter
);
199 f
[1] = "0123456789abcdef"[(((unsigned char *)b
)[i
] >> 4) & 0xf];
200 f
[2] = "0123456789abcdef"[(((unsigned char *)b
)[i
] ) & 0xf];
201 buffer_commit(filter
, 3);
205 static LDAP
* mod_authn_ldap_host_init(server
*srv
, vhostdb_config
*s
) {
209 ld
= ldap_init(s
->host
, LDAP_PORT
);
211 log_error_write(srv
, __FILE__
, __LINE__
, "sss", "ldap:", "ldap_init():",
217 ret
= ldap_set_option(ld
, LDAP_OPT_PROTOCOL_VERSION
, &ret
);
218 if (LDAP_OPT_SUCCESS
!= ret
) {
219 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_set_options()", ret
);
225 /* if no CA file is given, it is ok, as we will use encryption
226 * if the server requires a CAfile it will tell us */
228 ret
= ldap_set_option(NULL
, LDAP_OPT_X_TLS_CACERTFILE
, s
->cafile
);
229 if (LDAP_OPT_SUCCESS
!= ret
) {
230 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
,
231 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
238 ret
= ldap_start_tls_s(ld
, NULL
, NULL
);
239 if (LDAP_OPT_SUCCESS
!= ret
) {
240 mod_authn_ldap_err(srv
,__FILE__
,__LINE__
,"ldap_start_tls_s()",ret
);
249 static int mod_authn_ldap_bind(server
*srv
, LDAP
*ld
, const char *dn
, const char *pw
) {
255 *((const char **)&creds
.bv_val
) = pw
; /*(cast away const)*/
256 creds
.bv_len
= strlen(pw
);
262 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
264 ret
= ldap_sasl_bind_s(ld
,dn
,LDAP_SASL_SIMPLE
,&creds
,NULL
,NULL
,NULL
);
265 if (ret
!= LDAP_SUCCESS
) {
266 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_sasl_bind_s()", ret
);
269 int ret
= ldap_simple_bind_s(ld
, dn
, pw
);
270 if (ret
!= LDAP_SUCCESS
) {
271 mod_authn_ldap_err(srv
, __FILE__
, __LINE__
, "ldap_simple_bind_s()",ret
);
278 static LDAPMessage
* mod_authn_ldap_search(server
*srv
, vhostdb_config
*s
, char *base
, char *filter
) {
279 LDAPMessage
*lm
= NULL
;
280 char *attrs
[] = { LDAP_NO_ATTRS
, NULL
};
284 * 1. connect anonymously (if not already connected)
285 * (ldap connection is kept open unless connection-level error occurs)
286 * 2. issue search using filter
289 if (s
->ldap
!= NULL
) {
290 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
291 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
292 if (LDAP_SUCCESS
== ret
) {
294 } else if (LDAP_SERVER_DOWN
!= ret
) {
295 /* try again (or initial request);
296 * ldap lib sometimes fails for the first call but reconnects */
297 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
298 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
299 if (LDAP_SUCCESS
== ret
) {
304 ldap_unbind_ext_s(s
->ldap
, NULL
, NULL
);
307 s
->ldap
= mod_authn_ldap_host_init(srv
, s
);
308 if (NULL
== s
->ldap
) {
312 ret
= mod_authn_ldap_bind(srv
, s
->ldap
, s
->binddn
, s
->bindpw
);
313 if (LDAP_SUCCESS
!= ret
) {
314 ldap_memfree(s
->ldap
);
319 ret
= ldap_search_ext_s(s
->ldap
, base
, LDAP_SCOPE_SUBTREE
, filter
,
320 attrs
, 0, NULL
, NULL
, NULL
, 0, &lm
);
321 if (LDAP_SUCCESS
!= ret
) {
322 log_error_write(srv
, __FILE__
, __LINE__
, "sSss",
323 "ldap:", ldap_err2string(ret
), "; filter:", filter
);
324 ldap_unbind_ext_s(s
->ldap
, NULL
, NULL
);
332 static void mod_vhostdb_patch_connection (server
*srv
, connection
*con
, plugin_data
*p
);
334 static int mod_vhostdb_ldap_query(server
*srv
, connection
*con
, void *p_d
, buffer
*docroot
)
336 plugin_data
*p
= (plugin_data
*)p_d
;
337 vhostdb_config
*dbconf
;
339 LDAPMessage
*lm
, *first
;
340 struct berval
**vals
;
345 /*(reuse buffer for ldap query before generating docroot result)*/
346 buffer
*filter
= docroot
;
347 buffer_string_set_length(filter
, 0); /*(also resets docroot (alias))*/
349 mod_vhostdb_patch_connection(srv
, con
, p
);
350 if (NULL
== p
->conf
.vdata
) return 0; /*(after resetting docroot)*/
351 dbconf
= (vhostdb_config
*)p
->conf
.vdata
;
353 template = dbconf
->filter
;
354 for (char *b
= template->ptr
, *d
; *b
; b
= d
+1) {
355 if (NULL
!= (d
= strchr(b
, '?'))) {
356 buffer_append_string_len(filter
, b
, (size_t)(d
- b
));
357 mod_authn_append_ldap_filter_escape(filter
, con
->uri
.authority
);
359 d
= template->ptr
+ buffer_string_length(template);
360 buffer_append_string_len(filter
, b
, (size_t)(d
- b
));
365 /* (cast away const for poor LDAP ldap_search_ext_s() prototype) */
366 *(const char **)&basedn
= dbconf
->basedn
;
368 /* ldap_search (synchronous; blocking) */
369 lm
= mod_authn_ldap_search(srv
, dbconf
, basedn
, filter
->ptr
);
374 /*(must be after mod_authn_ldap_search(); might reconnect)*/
377 count
= ldap_count_entries(ld
, lm
);
379 log_error_write(srv
, __FILE__
, __LINE__
, "ssb",
380 "ldap:", "more than one record returned. "
381 "you might have to refine the filter:", filter
);
384 buffer_string_set_length(docroot
, 0); /*(reset buffer to store result)*/
386 if (0 == count
) { /*(no entries found)*/
391 if (NULL
== (first
= ldap_first_entry(ld
, lm
))) {
392 mod_authn_ldap_opt_err(srv
,__FILE__
,__LINE__
,"ldap_first_entry()",ld
);
397 if (NULL
!= (vals
= ldap_get_values_len(ld
, first
, dbconf
->attr
))) {
398 buffer_copy_string_len(docroot
, vals
[0]->bv_val
, vals
[0]->bv_len
);
399 ldap_value_free_len(vals
);
409 INIT_FUNC(mod_vhostdb_init
) {
410 static http_vhostdb_backend_t http_vhostdb_backend_ldap
=
411 { "ldap", mod_vhostdb_ldap_query
, NULL
};
412 plugin_data
*p
= calloc(1, sizeof(*p
));
414 /* register http_vhostdb_backend_ldap */
415 http_vhostdb_backend_ldap
.p_d
= p
;
416 http_vhostdb_backend_set(&http_vhostdb_backend_ldap
);
421 FREE_FUNC(mod_vhostdb_cleanup
) {
422 plugin_data
*p
= p_d
;
423 if (!p
) return HANDLER_GO_ON
;
425 if (p
->config_storage
) {
426 for (size_t i
= 0; i
< srv
->config_context
->used
; i
++) {
427 plugin_config
*s
= p
->config_storage
[i
];
429 mod_vhostdb_dbconf_free(s
->vdata
);
430 array_free(s
->options
);
433 free(p
->config_storage
);
438 return HANDLER_GO_ON
;
441 SETDEFAULTS_FUNC(mod_vhostdb_set_defaults
) {
442 plugin_data
*p
= p_d
;
444 config_values_t cv
[] = {
445 { "vhostdb.ldap", NULL
, T_CONFIG_ARRAY
, T_CONFIG_SCOPE_CONNECTION
},
446 { NULL
, NULL
, T_CONFIG_UNSET
, T_CONFIG_SCOPE_UNSET
}
449 p
->config_storage
= calloc(1, srv
->config_context
->used
* sizeof(specific_config
*));
451 for (size_t i
= 0; i
< srv
->config_context
->used
; ++i
) {
452 data_config
const *config
= (data_config
const*)srv
->config_context
->data
[i
];
453 plugin_config
*s
= calloc(1, sizeof(plugin_config
));
455 s
->options
= array_init();
456 cv
[0].destination
= s
->options
;
458 p
->config_storage
[i
] = s
;
460 if (config_insert_values_global(srv
, config
->value
, cv
, i
== 0 ? T_CONFIG_SCOPE_SERVER
: T_CONFIG_SCOPE_CONNECTION
)) {
461 return HANDLER_ERROR
;
464 if (!array_is_kvstring(s
->options
)) {
465 log_error_write(srv
, __FILE__
, __LINE__
, "s",
466 "unexpected value for vhostdb.ldap; expected list of \"option\" => \"value\"");
467 return HANDLER_ERROR
;
471 && 0 != mod_vhostdb_dbconf_setup(srv
, s
->options
, &s
->vdata
)) {
472 return HANDLER_ERROR
;
476 return HANDLER_GO_ON
;
481 static void mod_vhostdb_patch_connection (server
*srv
, connection
*con
, plugin_data
*p
)
483 plugin_config
*s
= p
->config_storage
[0];
486 /* skip the first, the global context */
487 for (size_t i
= 1; i
< srv
->config_context
->used
; ++i
) {
488 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
489 s
= p
->config_storage
[i
];
491 /* condition didn't match */
492 if (!config_check_cond(srv
, con
, dc
)) continue;
495 for (size_t j
= 0; j
< dc
->value
->used
; ++j
) {
496 data_unset
*du
= dc
->value
->data
[j
];
498 if (buffer_is_equal_string(du
->key
,CONST_STR_LEN("vhostdb.ldap"))) {
506 /* this function is called at dlopen() time and inits the callbacks */
507 int mod_vhostdb_ldap_plugin_init (plugin
*p
);
508 int mod_vhostdb_ldap_plugin_init (plugin
*p
)
510 p
->version
= LIGHTTPD_VERSION_ID
;
511 p
->name
= buffer_init_string("vhostdb_ldap");
513 p
->init
= mod_vhostdb_init
;
514 p
->cleanup
= mod_vhostdb_cleanup
;
515 p
->set_defaults
= mod_vhostdb_set_defaults
;