search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[core] cleanup: consolidate FAM code in stat_cache
[lighttpd.git] / src / mod_authn_ldap.c
blobd8be4f5f9dd4135f6d753f87af6de6ef9872f30d
1 #include "first.h"
2
3 #define USE_LDAP
4 #include <ldap.h>
5
6 #include "server.h"
7 #include "http_auth.h"
8 #include "log.h"
9 #include "plugin.h"
10
11 #include <errno.h>
12 #include <string.h>
13
14 typedef struct {
15 LDAP *ldap;
16
17 buffer *auth_ldap_hostname;
18 buffer *auth_ldap_basedn;
19 buffer *auth_ldap_binddn;
20 buffer *auth_ldap_bindpw;
21 buffer *auth_ldap_filter;
22 buffer *auth_ldap_cafile;
23 buffer *auth_ldap_groupmember;
24 unsigned short auth_ldap_starttls;
25 unsigned short auth_ldap_allow_empty_pw;
26 } plugin_config;
27
28 typedef struct {
29 PLUGIN_DATA;
30 plugin_config **config_storage;
31 plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
32
33 buffer *ldap_filter;
34 } plugin_data;
35
36 static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
37
38 INIT_FUNC(mod_authn_ldap_init) {
39 static http_auth_backend_t http_auth_backend_ldap =
40 { "ldap", mod_authn_ldap_basic, NULL, NULL };
41 plugin_data *p = calloc(1, sizeof(*p));
42 p->ldap_filter = buffer_init();
43
44 /* register http_auth_backend_ldap */
45 http_auth_backend_ldap.p_d = p;
46 http_auth_backend_set(&http_auth_backend_ldap);
47
48 return p;
49 }
50
51 FREE_FUNC(mod_authn_ldap_free) {
52 plugin_data *p = p_d;
53
54 UNUSED(srv);
55
56 if (!p) return HANDLER_GO_ON;
57
58 buffer_free(p->ldap_filter);
59
60 if (p->config_storage) {
61 size_t i;
62 for (i = 0; i < srv->config_context->used; i++) {
63 plugin_config *s = p->config_storage[i];
64
65 if (NULL == s) continue;
66
67 buffer_free(s->auth_ldap_hostname);
68 buffer_free(s->auth_ldap_basedn);
69 buffer_free(s->auth_ldap_binddn);
70 buffer_free(s->auth_ldap_bindpw);
71 buffer_free(s->auth_ldap_filter);
72 buffer_free(s->auth_ldap_cafile);
73 buffer_free(s->auth_ldap_groupmember);
74
75 if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
76 free(s);
77 }
78 free(p->config_storage);
79 }
80
81 free(p);
82
83 return HANDLER_GO_ON;
84 }
85
86 SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
87 plugin_data *p = p_d;
88 size_t i;
89 config_values_t cv[] = {
90 { "auth.backend.ldap.hostname", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
91 { "auth.backend.ldap.base-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
92 { "auth.backend.ldap.filter", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
93 { "auth.backend.ldap.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
94 { "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
95 { "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 5 */
96 { "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 6 */
97 { "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 7 */
98 { "auth.backend.ldap.groupmember", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 8 */
99 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
100 };
101
102 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
103
104 for (i = 0; i < srv->config_context->used; i++) {
105 data_config const* config = (data_config const*)srv->config_context->data[i];
106 plugin_config *s;
107
108 s = calloc(1, sizeof(plugin_config));
109
110 s->auth_ldap_hostname = buffer_init();
111 s->auth_ldap_basedn = buffer_init();
112 s->auth_ldap_binddn = buffer_init();
113 s->auth_ldap_bindpw = buffer_init();
114 s->auth_ldap_filter = buffer_init();
115 s->auth_ldap_cafile = buffer_init();
116 s->auth_ldap_groupmember = buffer_init_string("memberUid");
117 s->auth_ldap_starttls = 0;
118 s->ldap = NULL;
119
120 cv[0].destination = s->auth_ldap_hostname;
121 cv[1].destination = s->auth_ldap_basedn;
122 cv[2].destination = s->auth_ldap_filter;
123 cv[3].destination = s->auth_ldap_cafile;
124 cv[4].destination = &(s->auth_ldap_starttls);
125 cv[5].destination = s->auth_ldap_binddn;
126 cv[6].destination = s->auth_ldap_bindpw;
127 cv[7].destination = &(s->auth_ldap_allow_empty_pw);
128 cv[8].destination = s->auth_ldap_groupmember;
129
130 p->config_storage[i] = s;
131
132 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
133 return HANDLER_ERROR;
134 }
135
136 if (!buffer_string_is_empty(s->auth_ldap_filter)) {
137 if (*s->auth_ldap_filter->ptr != ',') {
138 /*(translate '$' to '?' for consistency with other modules)*/
139 char *d = s->auth_ldap_filter->ptr;
140 for (; NULL != (d = strchr(d, '$')); ++d) *d = '?';
141 if (NULL == strchr(s->auth_ldap_filter->ptr, '?')) {
142 log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '?'");
143 return HANDLER_ERROR;
144 }
145 }
146 }
147 }
148
149 return HANDLER_GO_ON;
150 }
151
152 #define PATCH(x) \
153 p->conf.x = s->x;
154 static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_data *p) {
155 size_t i, j;
156 plugin_config *s = p->config_storage[0];
157
158 PATCH(auth_ldap_hostname);
159 PATCH(auth_ldap_basedn);
160 PATCH(auth_ldap_binddn);
161 PATCH(auth_ldap_bindpw);
162 PATCH(auth_ldap_filter);
163 PATCH(auth_ldap_cafile);
164 PATCH(auth_ldap_starttls);
165 PATCH(auth_ldap_allow_empty_pw);
166 PATCH(auth_ldap_groupmember);
167 p->anon_conf = s;
168
169 /* skip the first, the global context */
170 for (i = 1; i < srv->config_context->used; i++) {
171 data_config *dc = (data_config *)srv->config_context->data[i];
172 s = p->config_storage[i];
173
174 /* condition didn't match */
175 if (!config_check_cond(srv, con, dc)) continue;
176
177 /* merge config */
178 for (j = 0; j < dc->value->used; j++) {
179 data_unset *du = dc->value->data[j];
180
181 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
182 PATCH(auth_ldap_hostname);
183 p->anon_conf = s;
184 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
185 PATCH(auth_ldap_basedn);
186 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) {
187 PATCH(auth_ldap_filter);
188 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
189 PATCH(auth_ldap_cafile);
190 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
191 PATCH(auth_ldap_starttls);
192 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-dn"))) {
193 PATCH(auth_ldap_binddn);
194 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-pw"))) {
195 PATCH(auth_ldap_bindpw);
196 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
197 PATCH(auth_ldap_allow_empty_pw);
198 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.groupmember"))) {
199 PATCH(auth_ldap_groupmember);
200 }
201 }
202 }
203
204 return 0;
205 }
206 #undef PATCH
207
208 static void mod_authn_ldap_err(server *srv, const char *file, unsigned long line, const char *fn, int err)
209 {
210 log_error_write(srv,file,line,"sSss","ldap:",fn,":",ldap_err2string(err));
211 }
212
213 static void mod_authn_ldap_opt_err(server *srv, const char *file, unsigned long line, const char *fn, LDAP *ld)
214 {
215 int err;
216 ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
217 mod_authn_ldap_err(srv, file, line, fn, err);
218 }
219
220 static void mod_authn_append_ldap_dn_escape(buffer * const filter, const buffer * const raw) {
221 /* [RFC4514] 2.4 Converting an AttributeValue from ASN.1 to a String
222 *
223 * https://www.ldap.com/ldap-dns-and-rdns
224 * http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
225 */
226 const char * const b = raw->ptr;
227 const size_t rlen = buffer_string_length(raw);
228 if (0 == rlen) return;
229
230 if (b[0] == ' ') { /* || b[0] == '#' handled below for MS Active Directory*/
231 /* escape leading ' ' */
232 buffer_append_string_len(filter, CONST_STR_LEN("\\"));
233 }
234
235 for (size_t i = 0; i < rlen; ++i) {
236 size_t len = i;
237 int bs = 0;
238 do {
239 /* encode all UTF-8 chars with high bit set
240 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
241 if (((unsigned char *)b)[len] > 0x7f)
242 break;
243 switch (b[len]) {
244 default:
245 continue;
246 case '"': case '+': case ',': case ';': case '\\':
247 case '<': case '>':
248 case '=': case '#': /* (for MS Active Directory) */
249 bs = 1;
250 break;
251 case '\0':
252 break;
253 }
254 break;
255 } while (++len < rlen);
256 len -= i;
257
258 if (len) {
259 buffer_append_string_len(filter, b+i, len);
260 if ((i += len) == rlen) break;
261 }
262
263 if (bs) {
264 buffer_append_string_len(filter, CONST_STR_LEN("\\"));
265 buffer_append_string_len(filter, b+i, 1);
266 }
267 else {
268 /* escape NUL ('\0') (and all UTF-8 chars with high bit set) */
269 char *f;
270 buffer_string_prepare_append(filter, 3);
271 f = filter->ptr + buffer_string_length(filter);
272 f[0] = '\\';
273 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
274 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
275 buffer_commit(filter, 3);
276 }
277 }
278
279 if (rlen > 1 && b[rlen-1] == ' ') {
280 /* escape trailing ' ' */
281 filter->ptr[buffer_string_length(filter)-1] = '\\';
282 buffer_append_string_len(filter, CONST_STR_LEN(" "));
283 }
284 }
285
286 static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) {
287 /* [RFC4515] 3. String Search Filter Definition
288 *
289 * [...]
290 *
291 * The <valueencoding> rule ensures that the entire filter string is a
292 * valid UTF-8 string and provides that the octets that represent the
293 * ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
294 * 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
295 * backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
296 * representing the value of the encoded octet.
297 *
298 * [...]
299 *
300 * As indicated by the <valueencoding> rule, implementations MUST escape
301 * all octets greater than 0x7F that are not part of a valid UTF-8
302 * encoding sequence when they generate a string representation of a
303 * search filter. Implementations SHOULD accept as input strings that
304 * are not valid UTF-8 strings. This is necessary because RFC 2254 did
305 * not clearly define the term "string representation" (and in
306 * particular did not mention that the string representation of an LDAP
307 * search filter is a string of UTF-8-encoded Unicode characters).
308 *
309 *
310 * https://www.ldap.com/ldap-filters
311 * Although not required, you may escape any other characters that you want
312 * in the assertion value (or substring component) of a filter. This may be
313 * accomplished by prefixing the hexadecimal representation of each byte of
314 * the UTF-8 encoding of the character to escape with a backslash character.
315 */
316 const char * const b = raw->ptr;
317 const size_t rlen = buffer_string_length(raw);
318 for (size_t i = 0; i < rlen; ++i) {
319 size_t len = i;
320 char *f;
321 do {
322 /* encode all UTF-8 chars with high bit set
323 * (instead of validating UTF-8 and escaping only invalid UTF-8) */
324 if (((unsigned char *)b)[len] > 0x7f)
325 break;
326 switch (b[len]) {
327 default:
328 continue;
329 case '\0': case '(': case ')': case '*': case '\\':
330 break;
331 }
332 break;
333 } while (++len < rlen);
334 len -= i;
335
336 if (len) {
337 buffer_append_string_len(filter, b+i, len);
338 if ((i += len) == rlen) break;
339 }
340
341 /* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
342 buffer_string_prepare_append(filter, 3);
343 f = filter->ptr + buffer_string_length(filter);
344 f[0] = '\\';
345 f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
346 f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
347 buffer_commit(filter, 3);
348 }
349 }
350
351 static LDAP * mod_authn_ldap_host_init(server *srv, plugin_config *s) {
352 LDAP *ld;
353 int ret;
354
355 if (buffer_string_is_empty(s->auth_ldap_hostname)) return NULL;
356
357 ld = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT);
358 if (NULL == ld) {
359 log_error_write(srv, __FILE__, __LINE__, "sss", "ldap:", "ldap_init():",
360 strerror(errno));
361 return NULL;
362 }
363
364 ret = LDAP_VERSION3;
365 ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
366 if (LDAP_OPT_SUCCESS != ret) {
367 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_set_options()", ret);
368 ldap_memfree(ld);
369 return NULL;
370 }
371
372 if (s->auth_ldap_starttls) {
373 /* if no CA file is given, it is ok, as we will use encryption
374 * if the server requires a CAfile it will tell us */
375 if (!buffer_string_is_empty(s->auth_ldap_cafile)) {
376 ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
377 s->auth_ldap_cafile->ptr);
378 if (LDAP_OPT_SUCCESS != ret) {
379 mod_authn_ldap_err(srv, __FILE__, __LINE__,
380 "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
381 ret);
382 ldap_memfree(ld);
383 return NULL;
384 }
385 }
386
387 ret = ldap_start_tls_s(ld, NULL, NULL);
388 if (LDAP_OPT_SUCCESS != ret) {
389 mod_authn_ldap_err(srv,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
390 ldap_memfree(ld);
391 return NULL;
392 }
393 }
394
395 return ld;
396 }
397
398 static int mod_authn_ldap_bind(server *srv, LDAP *ld, const char *dn, const char *pw) {
399 #if 0
400 struct berval creds;
401 int ret;
402
403 if (NULL != pw) {
404 *((const char **)&creds.bv_val) = pw; /*(cast away const)*/
405 creds.bv_len = strlen(pw);
406 } else {
407 creds.bv_val = NULL;
408 creds.bv_len = 0;
409 }
410
411 /* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
412
413 ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
414 if (ret != LDAP_SUCCESS) {
415 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
416 }
417 #else
418 int ret = ldap_simple_bind_s(ld, dn, pw);
419 if (ret != LDAP_SUCCESS) {
420 mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_simple_bind_s()",ret);
421 }
422 #endif
423
424 return ret;
425 }
426
427 static LDAPMessage * mod_authn_ldap_search(server *srv, plugin_config *s, char *base, char *filter) {
428 LDAPMessage *lm = NULL;
429 char *attrs[] = { LDAP_NO_ATTRS, NULL };
430 int ret;
431
432 /*
433 * 1. connect anonymously (if not already connected)
434 * (ldap connection is kept open unless connection-level error occurs)
435 * 2. issue search using filter
436 */
437
438 if (s->ldap != NULL) {
439 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
440 attrs, 0, NULL, NULL, NULL, 0, &lm);
441 if (LDAP_SUCCESS == ret) {
442 return lm;
443 } else if (LDAP_SERVER_DOWN != ret) {
444 /* try again (or initial request);
445 * ldap lib sometimes fails for the first call but reconnects */
446 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
447 attrs, 0, NULL, NULL, NULL, 0, &lm);
448 if (LDAP_SUCCESS == ret) {
449 return lm;
450 }
451 }
452
453 ldap_unbind_ext_s(s->ldap, NULL, NULL);
454 }
455
456 s->ldap = mod_authn_ldap_host_init(srv, s);
457 if (NULL == s->ldap) {
458 return NULL;
459 }
460
461 ret = !buffer_string_is_empty(s->auth_ldap_binddn)
462 ? mod_authn_ldap_bind(srv, s->ldap,
463 s->auth_ldap_binddn->ptr,
464 s->auth_ldap_bindpw->ptr)
465 : mod_authn_ldap_bind(srv, s->ldap, NULL, NULL);
466 if (LDAP_SUCCESS != ret) {
467 ldap_memfree(s->ldap);
468 s->ldap = NULL;
469 return NULL;
470 }
471
472 ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
473 attrs, 0, NULL, NULL, NULL, 0, &lm);
474 if (LDAP_SUCCESS != ret) {
475 log_error_write(srv, __FILE__, __LINE__, "sSss",
476 "ldap:", ldap_err2string(ret), "; filter:", filter);
477 ldap_unbind_ext_s(s->ldap, NULL, NULL);
478 s->ldap = NULL;
479 return NULL;
480 }
481
482 return lm;
483 }
484
485 static char * mod_authn_ldap_get_dn(server *srv, plugin_config *s, char *base, char *filter) {
486 LDAP *ld;
487 LDAPMessage *lm, *first;
488 char *dn;
489 int count;
490
491 lm = mod_authn_ldap_search(srv, s, base, filter);
492 if (NULL == lm) {
493 return NULL;
494 }
495
496 ld = s->ldap; /*(must be after mod_authn_ldap_search(); might reconnect)*/
497
498 count = ldap_count_entries(ld, lm);
499 if (0 == count) { /*(no entires found)*/
500 ldap_msgfree(lm);
501 return NULL;
502 } else if (count > 1) {
503 log_error_write(srv, __FILE__, __LINE__, "sss",
504 "ldap:", "more than one record returned. "
505 "you might have to refine the filter:", filter);
506 }
507
508 if (NULL == (first = ldap_first_entry(ld, lm))) {
509 mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_first_entry()",ld);
510 ldap_msgfree(lm);
511 return NULL;
512 }
513
514 if (NULL == (dn = ldap_get_dn(ld, first))) {
515 mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_get_dn()",ld);
516 ldap_msgfree(lm);
517 return NULL;
518 }
519
520 ldap_msgfree(lm);
521 return dn;
522 }
523
524 static handler_t mod_authn_ldap_memberOf(server *srv, plugin_config *s, const http_auth_require_t *require, const buffer *username, const char *userdn) {
525 array *groups = require->group;
526 buffer *filter = buffer_init();
527 handler_t rc = HANDLER_ERROR;
528
529 buffer_copy_string_len(filter, CONST_STR_LEN("("));
530 buffer_append_string_buffer(filter, s->auth_ldap_groupmember);
531 buffer_append_string_len(filter, CONST_STR_LEN("="));
532 if (buffer_is_equal_string(s->auth_ldap_groupmember,
533 CONST_STR_LEN("member"))) {
534 buffer_append_string(filter, userdn);
535 } else { /*(assume "memberUid"; consider validating in SETDEFAULTS_FUNC)*/
536 mod_authn_append_ldap_filter_escape(filter, username);
537 }
538 buffer_append_string_len(filter, CONST_STR_LEN(")"));
539
540 for (size_t i = 0; i < groups->used; ++i) {
541 char *base = groups->data[i]->key->ptr;
542 LDAPMessage *lm = mod_authn_ldap_search(srv, s, base, filter->ptr);
543 if (NULL != lm) {
544 int count = ldap_count_entries(s->ldap, lm);
545 ldap_msgfree(lm);
546 if (count > 0) {
547 rc = HANDLER_GO_ON;
548 break;
549 }
550 }
551 }
552
553 buffer_free(filter);
554 return rc;
555 }
556
557 static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) {
558 plugin_data *p = (plugin_data *)p_d;
559 LDAP *ld;
560 char *dn;
561 buffer *template;
562 handler_t rc;
563
564 mod_authn_ldap_patch_connection(srv, con, p);
565
566 if (pw[0] == '\0' && !p->conf.auth_ldap_allow_empty_pw)
567 return HANDLER_ERROR;
568
569 template = p->conf.auth_ldap_filter;
570 if (buffer_string_is_empty(template)) {
571 return HANDLER_ERROR;
572 }
573
574 /* build filter to get DN for uid = username */
575 buffer_string_set_length(p->ldap_filter, 0);
576 if (*template->ptr == ',') {
577 /* special-case filter template beginning with ',' to be explicit DN */
578 buffer_append_string_len(p->ldap_filter, CONST_STR_LEN("uid="));
579 mod_authn_append_ldap_dn_escape(p->ldap_filter, username);
580 buffer_append_string_buffer(p->ldap_filter, template);
581 dn = p->ldap_filter->ptr;
582 } else {
583 for (char *b = template->ptr, *d; *b; b = d+1) {
584 if (NULL != (d = strchr(b, '?'))) {
585 buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
586 mod_authn_append_ldap_filter_escape(p->ldap_filter, username);
587 } else {
588 d = template->ptr + buffer_string_length(template);
589 buffer_append_string_len(p->ldap_filter, b, (size_t)(d - b));
590 break;
591 }
592 }
593
594 /* ldap_search for DN (synchronous; blocking) */
595 dn = mod_authn_ldap_get_dn(srv, p->anon_conf,
596 p->conf.auth_ldap_basedn->ptr,
597 p->ldap_filter->ptr);
598 if (NULL == dn) {
599 return HANDLER_ERROR;
600 }
601 }
602
603 /* auth against LDAP server (synchronous; blocking) */
604
605 ld = mod_authn_ldap_host_init(srv, &p->conf);
606 if (NULL == ld) {
607 if (dn != p->ldap_filter->ptr) ldap_memfree(dn);
608 return HANDLER_ERROR;
609 }
610
611 if (LDAP_SUCCESS != mod_authn_ldap_bind(srv, ld, dn, pw)) {
612 ldap_memfree(ld);
613 if (dn != p->ldap_filter->ptr) ldap_memfree(dn);
614 return HANDLER_ERROR;
615 }
616
617 ldap_unbind_ext_s(ld, NULL, NULL); /* disconnect */
618
619 if (http_auth_match_rules(require, username->ptr, NULL, NULL)) {
620 rc = HANDLER_GO_ON; /* access granted */
621 } else {
622 rc = HANDLER_ERROR;
623 if (require->group->used) {
624 /*(must not re-use p->ldap_filter, since it might be used for dn)*/
625 rc = mod_authn_ldap_memberOf(srv, &p->conf, require, username, dn);
626 }
627 }
628
629 if (dn != p->ldap_filter->ptr) ldap_memfree(dn);
630 return rc;
631 }
632
633 int mod_authn_ldap_plugin_init(plugin *p);
634 int mod_authn_ldap_plugin_init(plugin *p) {
635 p->version = LIGHTTPD_VERSION_ID;
636 p->name = buffer_init_string("authn_ldap");
637 p->init = mod_authn_ldap_init;
638 p->set_defaults = mod_authn_ldap_set_defaults;
639 p->cleanup = mod_authn_ldap_free;
640
641 p->data = NULL;
642
643 return 0;
644 }
A fast webserver with minimal memory-footprint (lighttpd)