ldap_backend.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /*
10  * AUTHOR: Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
11  */
12 #include "squid.h"
13 
14 #include <cstdio>
15 
16 #define LDAP_DEPRECATED 1
17 
18 #include "auth/digest/eDirectory/ldap_backend.h"
19 
20 #if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
21 
22 #include <windows.h>
23 #include <winldap.h>
24 #ifndef LDAPAPI
25 #define LDAPAPI __cdecl
26 #endif
27 #ifdef LDAP_VERSION3
28 #ifndef LDAP_OPT_X_TLS
29 #define LDAP_OPT_X_TLS 0x6000
30 #endif
31 /* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
32  * run time.
33  */
34 #undef ldap_start_tls_s
35 #if LDAP_UNICODE
36 #define LDAP_START_TLS_S "ldap_start_tls_sW"
37 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
38 #else
39 #define LDAP_START_TLS_S "ldap_start_tls_sA"
40 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
41 #endif /* LDAP_UNICODE */
42 PFldap_start_tls_s Win32_ldap_start_tls_s;
43 #define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l, nullptr, nullptr,s,c)
44 #endif /* LDAP_VERSION3 */
45 
46 #else
47 
48 #include <lber.h>
49 #include <ldap.h>
50 
51 #endif
52 #include "auth/digest/eDirectory/edir_ldapext.h"
53 #define PROGRAM_NAME "digest_pw_auth(LDAP_backend)"
54 
55 /* Globals */
56 
57 static LDAP *ld = nullptr;
58 static const char *passattr = nullptr;
59 static char *ldapServer = nullptr;
60 static const char *userbasedn = nullptr;
61 static const char *userdnattr = nullptr;
62 static const char *usersearchfilter = nullptr;
63 static const char *binddn = nullptr;
64 static const char *bindpasswd = nullptr;
65 static const char *delimiter = ":";
66 static int encrpass = 0;
67 static int searchscope = LDAP_SCOPE_SUBTREE;
68 static int persistent = 0;
69 static int noreferrals = 0;
70 static int port = LDAP_PORT;
71 static int strip_nt_domain = 0;
72 static int edir_universal_passwd = 0;
73 static int aliasderef = LDAP_DEREF_NEVER;
74 #if defined(NETSCAPE_SSL)
75 static char *sslpath = nullptr;
76 static int sslinit = 0;
77 #endif
78 static int connect_timeout = 0;
79 static int timelimit = LDAP_NO_LIMIT;
80 
81 #ifdef LDAP_VERSION3
82 /* Added for TLS support and version 3 */
83 static int use_tls = 0;
84 static int version = -1;
85 #endif
86 
87 static void ldapconnect(void);
88 static int readSecret(const char *filename);
89 
90 /* Yuck.. we need to glue to different versions of the API */
91 
92 #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
93 static void
94 squid_ldap_set_aliasderef(int deref)
95 {
96  ldap_set_option(ld, LDAP_OPT_DEREF, &deref);
97 }
98 static void
99 squid_ldap_set_referrals(int referrals)
100 {
101  int *value = static_cast<int*>(referrals ? LDAP_OPT_ON :LDAP_OPT_OFF);
102  ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
103 }
104 static void
105 squid_ldap_set_timelimit(int aTimeLimit)
106 {
107  ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &aTimeLimit);
108 }
109 static void
110 squid_ldap_set_connect_timeout(int aTimeLimit)
111 {
112 #if defined(LDAP_OPT_NETWORK_TIMEOUT)
113  struct timeval tv;
114  tv.tv_sec = aTimeLimit;
115  tv.tv_usec = 0;
116  ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
117 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
118  aTimeLimit *= 1000;
119  ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &aTimeLimit);
120 #endif
121 }
122 
123 static void
124 squid_ldap_memfree(char *p)
125 {
126  ldap_memfree(p);
127 }
128 
129 #else
130 static int
131 squid_ldap_errno(LDAP * ld)
132 {
133  return ld->ld_errno;
134 }
135 static void
136 squid_ldap_set_aliasderef(int deref)
137 {
138  ld->ld_deref = deref;
139 }
140 static void
141 squid_ldap_set_referrals(int referrals)
142 {
143  if (referrals)
144  ld->ld_options |= LDAP_OPT_REFERRALS;
145  else
146  ld->ld_options &= ~LDAP_OPT_REFERRALS;
147 }
148 static void
149 squid_ldap_set_timelimit(int aTimeLimit)
150 {
151  ld->ld_timelimit = aTimeLimit;
152 }
153 static void
154 squid_ldap_set_connect_timeout(int aTimeLimit)
155 {
156  fprintf(stderr, "ERROR: Connect timeouts not supported in your LDAP library\n");
157 }
158 static void
159 squid_ldap_memfree(char *p)
160 {
161  free(p);
162 }
163 
164 #endif
165 
166 #ifdef LDAP_API_FEATURE_X_OPENLDAP
167 #if LDAP_VENDOR_VERSION > 194
168 #define HAS_URI_SUPPORT 1
169 #endif
170 #endif
171 
172 static int
173 ldap_escape_value(char *escaped, int size, const char *src)
174 {
175  int n = 0;
176  while (size > 4 && *src) {
177  switch (*src) {
178  case '*':
179  case '(':
180  case ')':
181  case '\\':
182  n += 3;
183  size -= 3;
184  if (size > 0) {
185  *escaped = '\\';
186  ++escaped;
187  std::snprintf(escaped, 3, "%02x", (int) *src);
188  ++src;
189  escaped += 2;
190  }
191  break;
192  default:
193  *escaped = *src;
194  ++escaped;
195  ++src;
196  ++n;
197  --size;
198  }
199  }
200  *escaped = '\0';
201  return n;
202 }
203 
204 static char *
205 getpassword(char *login, char *realm)
206 {
207  LDAPMessage *res = nullptr;
208  LDAPMessage *entry;
209  char **values = nullptr;
210  char **value = nullptr;
211  char *password = nullptr;
212  int retry = 0;
213  char filter[8192];
214  *filter = '\0';
215  char searchbase[8192];
216  *searchbase = '\0';
217  char *universal_password = nullptr;
218  size_t universal_password_len = 256;
219  int nmas_res = 0;
220  int rc = -1;
221  if (ld) {
222  if (usersearchfilter) {
223  char escaped_login[1024];
224  std::snprintf(searchbase, sizeof(searchbase), "%s", userbasedn);
225  ldap_escape_value(escaped_login, sizeof(escaped_login), login);
226  std::snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
227 
228 retrysrch:
229  debug("user filter '%s', searchbase '%s'\n", filter, searchbase);
230 
231  rc = ldap_search_s(ld, searchbase, searchscope, filter, nullptr, 0, &res);
232  if (rc != LDAP_SUCCESS) {
233  if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
234  /* Everything is fine. This is expected when referrals
235  * are disabled.
236  */
237  rc = LDAP_SUCCESS;
238  } else {
239  fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
240 #if defined(NETSCAPE_SSL)
241  if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
242  int sslerr = PORT_GetError();
243  fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
244  }
245 #endif
246  fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error, trying to recover'%s'\n", ldap_err2string(rc));
247  ldap_msgfree(res);
248  /* try to connect to the LDAP server again, maybe my persistent conexion failed. */
249  if (!retry) {
250  ++retry;
251  ldap_unbind(ld);
252  ld = nullptr;
253  ldapconnect();
254  goto retrysrch;
255  }
256  return nullptr;
257 
258  }
259  }
260  } else if (userdnattr) {
261  std::snprintf(searchbase, 8192, "%s=%s, %s", userdnattr, login, userbasedn);
262 
263 retrydnattr:
264  debug("searchbase '%s'\n", searchbase);
265  rc = ldap_search_s(ld, searchbase, searchscope, nullptr, nullptr, 0, &res);
266  }
267  if (rc == LDAP_SUCCESS) {
268  entry = ldap_first_entry(ld, res);
269  if (entry) {
270  const auto dn = ldap_get_dn(ld, entry);
271  if (!dn) {
272  fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", login);
273  ldap_msgfree(res);
274  return nullptr;
275  }
276  debug("ldap dn: %s\n", dn);
277  if (edir_universal_passwd) {
278 
279  /* allocate some memory for the universal password returned by NMAS */
280  universal_password = (char*)calloc(1, universal_password_len);
281  values = (char**)calloc(2, sizeof(char *));
282 
283  /* actually talk to NMAS to get a password */
284  nmas_res = nds_get_password(ld, dn, &universal_password_len, universal_password);
285  if (nmas_res == LDAP_SUCCESS && universal_password) {
286  debug("NMAS returned value %s\n", universal_password);
287  values[0] = universal_password;
288  values[1] = nullptr;
289  } else {
290  debug("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res));
291  }
292  } else {
293  values = ldap_get_values(ld, entry, passattr);
294  }
295  squid_ldap_memfree(dn);
296  } else {
297  ldap_msgfree(res);
298  return nullptr;
299  }
300  if (!values) {
301  debug("No attribute value found\n");
302  if (edir_universal_passwd)
303  free(universal_password);
304  ldap_msgfree(res);
305  return nullptr;
306  }
307  value = values;
308  while (*value) {
309  if (encrpass) {
310  const char *t = strtok(*value, delimiter);
311  if (t && strcmp(t, realm) == 0) {
312  password = strtok(nullptr, delimiter);
313  break;
314  }
315  } else {
316  password = *value;
317  break;
318  }
319  ++value;
320  }
321  debug("password: %s\n", password);
322  if (password)
323  password = xstrdup(password);
324  if (edir_universal_passwd) {
325  free(values);
326  free(universal_password);
327  } else {
328  ldap_value_free(values);
329  }
330  ldap_msgfree(res);
331  return password;
332  } else {
333  fprintf(stderr, PROGRAM_NAME " WARNING, LDAP error '%s'\n", ldap_err2string(rc));
334  /* try to connect to the LDAP server again, maybe my persistent conexion failed. */
335  if (!retry) {
336  ++retry;
337  ldap_unbind(ld);
338  ld = nullptr;
339  ldapconnect();
340  goto retrydnattr;
341  }
342  return nullptr;
343  }
344  }
345  return nullptr;
346 }
347 
348 static void
349 ldapconnect(void)
350 {
351  int rc;
352 
353  /* On Windows ldap_start_tls_s is available starting from Windows XP,
354  * so we need to bind at run-time with the function entry point
355  */
356 #if _SQUID_WINDOWS_
357  if (use_tls) {
358 
359  HMODULE WLDAP32Handle;
360 
361  WLDAP32Handle = GetModuleHandle("wldap32");
362  if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
363  fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
364  exit(EXIT_FAILURE);
365  }
366  }
367 #endif
368 
369  if (ld == nullptr) {
370 #if HAS_URI_SUPPORT
371  if (strstr(ldapServer, "://") != nullptr) {
372  rc = ldap_initialize(&ld, ldapServer);
373  if (rc != LDAP_SUCCESS) {
374  fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
375  }
376  } else
377 #endif
378 #if NETSCAPE_SSL
379  if (sslpath) {
380  if (!sslinit && (ldapssl_client_init(sslpath, nullptr) != LDAP_SUCCESS)) {
381  fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
382  sslpath);
383  exit(EXIT_FAILURE);
384  } else {
385  ++sslinit;
386  }
387  if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
388  fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
389  ldapServer, port);
390  exit(EXIT_FAILURE);
391  }
392  } else
393 #endif
394  if ((ld = ldap_init(ldapServer, port)) == nullptr) {
395  fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port);
396  }
397  if (connect_timeout)
398  squid_ldap_set_connect_timeout(connect_timeout);
399 
400 #ifdef LDAP_VERSION3
401  if (version == -1) {
402  version = LDAP_VERSION2;
403  }
404  if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)
405  != LDAP_SUCCESS) {
406  fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
407  version);
408  ldap_unbind(ld);
409  ld = nullptr;
410  }
411  if (use_tls) {
412 #ifdef LDAP_OPT_X_TLS
413  if ((version == LDAP_VERSION3) && (ldap_start_tls_s(ld, nullptr, nullptr) != LDAP_SUCCESS)) {
414  fprintf(stderr, "Could not Activate TLS connection\n");
415  ldap_unbind(ld);
416  ld = nullptr;
417  }
418 #else
419  fprintf(stderr, "TLS not supported with your LDAP library\n");
420  ldap_unbind(ld);
421  ld = nullptr;
422 #endif
423  }
424 #endif
425  squid_ldap_set_timelimit(timelimit);
426  squid_ldap_set_referrals(!noreferrals);
427  squid_ldap_set_aliasderef(aliasderef);
428  if (binddn && bindpasswd && *binddn && *bindpasswd) {
429  rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
430  if (rc != LDAP_SUCCESS) {
431  fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
432  ldap_unbind(ld);
433  ld = nullptr;
434  }
435  }
436  debug("Connected OK\n");
437  }
438 }
439 int
440 LDAPArguments(int argc, char **argv)
441 {
442  setbuf(stdout, nullptr);
443 
444  while (argc > 1 && argv[1][0] == '-') {
445  const char *value = "";
446  char option = argv[1][1];
447  switch (option) {
448  case 'P':
449  case 'R':
450  case 'z':
451  case 'Z':
452  case 'g':
453  case 'e':
454  case 'S':
455  case 'n':
456  case 'd':
457  break;
458  default:
459  if (strlen(argv[1]) > 2) {
460  value = argv[1] + 2;
461  } else if (argc > 2) {
462  value = argv[2];
463  ++argv;
464  --argc;
465  } else
466  value = "";
467  break;
468  }
469  ++argv;
470  --argc;
471  switch (option) {
472  case 'H':
473 #if !HAS_URI_SUPPORT
474  fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
475  return 1;
476 #endif
477  /* Fall thru to -h */
478  case 'h':
479  if (ldapServer) {
480  int len = strlen(ldapServer) + 1 + strlen(value) + 1;
481  char *newhost = static_cast<char*>(xmalloc(len));
482  std::snprintf(newhost, len, "%s %s", ldapServer, value);
483  free(ldapServer);
484  ldapServer = newhost;
485  } else {
486  ldapServer = xstrdup(value);
487  }
488  break;
489  case 'A':
490  passattr = value;
491  break;
492  case 'e':
493  encrpass = 1;
494  break;
495  case 'l':
496  delimiter = value;
497  break;
498  case 'b':
499  userbasedn = value;
500  break;
501  case 'F':
502  usersearchfilter = value;
503  break;
504  case 'u':
505  userdnattr = value;
506  break;
507  case 's':
508  if (strcmp(value, "base") == 0)
509  searchscope = LDAP_SCOPE_BASE;
510  else if (strcmp(value, "one") == 0)
511  searchscope = LDAP_SCOPE_ONELEVEL;
512  else if (strcmp(value, "sub") == 0)
513  searchscope = LDAP_SCOPE_SUBTREE;
514  else {
515  fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value);
516  return 1;
517  }
518  break;
519  case 'S':
520 #if defined(NETSCAPE_SSL)
521  sslpath = value;
522  if (port == LDAP_PORT)
523  port = LDAPS_PORT;
524 #else
525  fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
526  return 1;
527 #endif
528  break;
529  case 'c':
530  connect_timeout = atoi(value);
531  break;
532  case 't':
533  timelimit = atoi(value);
534  break;
535  case 'a':
536  if (strcmp(value, "never") == 0)
537  aliasderef = LDAP_DEREF_NEVER;
538  else if (strcmp(value, "always") == 0)
539  aliasderef = LDAP_DEREF_ALWAYS;
540  else if (strcmp(value, "search") == 0)
541  aliasderef = LDAP_DEREF_SEARCHING;
542  else if (strcmp(value, "find") == 0)
543  aliasderef = LDAP_DEREF_FINDING;
544  else {
545  fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value);
546  return 1;
547  }
548  break;
549  case 'D':
550  binddn = value;
551  break;
552  case 'w':
553  bindpasswd = value;
554  break;
555  case 'W':
556  readSecret(value);
557  break;
558  case 'P':
559  persistent = !persistent;
560  break;
561  case 'p':
562  port = atoi(value);
563  break;
564  case 'R':
565  noreferrals = !noreferrals;
566  break;
567 #ifdef LDAP_VERSION3
568  case 'v':
569  switch (atoi(value)) {
570  case 2:
571  version = LDAP_VERSION2;
572  break;
573  case 3:
574  version = LDAP_VERSION3;
575  break;
576  default:
577  fprintf(stderr, "Protocol version should be 2 or 3\n");
578  return 1;
579  }
580  break;
581  case 'Z':
582  if (version == LDAP_VERSION2) {
583  fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
584  version);
585  return 1;
586  }
587  version = LDAP_VERSION3;
588  use_tls = 1;
589  break;
590 #endif
591  case 'd':
592  debug_enabled = 1;
593  break;
594  case 'E':
595  strip_nt_domain = 1;
596  break;
597  case 'n':
598  edir_universal_passwd = 1;
599  break;
600  default:
601  fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
602  return 1;
603  }
604  }
605 
606  while (argc > 1) {
607  char *value = argv[1];
608  if (ldapServer) {
609  int len = strlen(ldapServer) + 1 + strlen(value) + 1;
610  char *newhost = static_cast<char*>(xmalloc(len));
611  std::snprintf(newhost, len, "%s %s", ldapServer, value);
612  free(ldapServer);
613  ldapServer = newhost;
614  } else {
615  ldapServer = xstrdup(value);
616  }
617  --argc;
618  ++argv;
619  }
620 
621  if (!ldapServer)
622  ldapServer = (char *) "localhost";
623 
624  if (!userbasedn || !((passattr != nullptr) || (edir_universal_passwd && usersearchfilter && version == LDAP_VERSION3 && use_tls))) {
625  fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
626  fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n");
627  fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that divides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n");
628  fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n");
629  fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n");
630  fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n");
631  fprintf(stderr, "\t-u attribute\t\t\t\tattribute to use in combination with the basedn to create the user DN\n");
632  fprintf(stderr, "\t-s base|one|sub\t\t\t\tsearch scope\n");
633  fprintf(stderr, "\t-D binddn\t\t\t\tDN to bind as to perform searches\n");
634  fprintf(stderr, "\t-w bindpasswd\t\t\t\tpassword for binddn\n");
635  fprintf(stderr, "\t-W secretfile\t\t\t\tread password for binddn from file secretfile\n");
636 #if HAS_URI_SUPPORT
637  fprintf(stderr, "\t-H URI\t\t\t\t\tLDAPURI (defaults to ldap://localhost)\n");
638 #endif
639  fprintf(stderr, "\t-h server\t\t\t\tLDAP server (defaults to localhost)\n");
640  fprintf(stderr, "\t-p port\t\t\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
641  fprintf(stderr, "\t-P\t\t\t\t\tpersistent LDAP connection\n");
642 #if defined(NETSCAPE_SSL)
643  fprintf(stderr, "\t-E sslcertpath\t\t\t\tenable LDAP over SSL\n");
644 #endif
645  fprintf(stderr, "\t-c timeout\t\t\t\tconnect timeout\n");
646  fprintf(stderr, "\t-t timelimit\t\t\t\tsearch time limit\n");
647  fprintf(stderr, "\t-R\t\t\t\t\tdo not follow referrals\n");
648  fprintf(stderr, "\t-a never|always|search|find\t\twhen to dereference aliases\n");
649 #ifdef LDAP_VERSION3
650  fprintf(stderr, "\t-v 2|3\t\t\t\t\tLDAP version\n");
651  fprintf(stderr, "\t-Z\t\t\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
652 #endif
653  fprintf(stderr, "\t-S\t\t\t\t\tStrip NT domain from usernames\n");
654  fprintf(stderr, "\t-n\t\t\t\t\tGet an eDirectory Universal Password from Novell NMAS\n\t\t\t\t\t\t(requires bind credentials, version 3, TLS, and a search filter)\n");
655  fprintf(stderr, "\n");
656  fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
657  return -1;
658  }
659  return 0;
660 }
661 static int
662 readSecret(const char *filename)
663 {
664  char buf[BUFSIZ];
665  char *e = nullptr;
666  FILE *f;
667 
668  if (!(f = fopen(filename, "r"))) {
669  fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
670  return 1;
671  }
672  if (!fgets(buf, sizeof(buf) - 1, f)) {
673  fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
674  fclose(f);
675  return 1;
676  }
677  /* strip whitespaces on end */
678  if ((e = strrchr(buf, '\n')))
679  *e = 0;
680  if ((e = strrchr(buf, '\r')))
681  *e = 0;
682 
683  bindpasswd = xstrdup(buf);
684  if (!bindpasswd) {
685  fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
686  }
687  fclose(f);
688 
689  return 0;
690 }
691 
692 void
693 LDAPHHA1(RequestData * requestData)
694 {
695  char *password;
696  ldapconnect();
697  password = getpassword(requestData->user, requestData->realm);
698  if (password != nullptr) {
699  if (encrpass)
700  xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1));
701  else {
702  HASH HA1;
703  DigestCalcHA1("md5", requestData->user, requestData->realm, password, nullptr, nullptr, HA1, requestData->HHA1);
704  }
705  free(password);
706  } else {
707  requestData->error = -1;
708  }
709 
710 }
711 
readSecret
static int readSecret(const char *filename)
Definition: ldap_backend.cc:662
ldap_backend.h
BUFSIZ
#define BUFSIZ
Definition: defines.h:20
squid_ldap_memfree
static void squid_ldap_memfree(char *p)
Definition: ldap_backend.cc:159
xmalloc
#define xmalloc
Definition: negotiate_wrapper.cc:44
binddn
static const char * binddn
Definition: ldap_backend.cc:63
squid_ldap_set_referrals
static void squid_ldap_set_referrals(int referrals)
Definition: ldap_backend.cc:141
debug
void debug(const char *format,...)
Definition: debug.cc:19
squid_ldap_errno
static int squid_ldap_errno(LDAP *ld)
Definition: ldap_backend.cc:131
xstrdup
#define xstrdup
Definition: negotiate_wrapper.cc:47
use_tls
static int use_tls
Definition: basic_ldap_auth.cc:165
_request_data::error
int error
Definition: digest_common.h:46
xstrncpy
char * xstrncpy(char *dst, const char *src, size_t n)
Definition: xstring.cc:37
_request_data::HHA1
HASHHEX HHA1
Definition: digest_common.h:44
delimiter
static const char * delimiter
Definition: ldap_backend.cc:65
squid_ldap_set_timelimit
static void squid_ldap_set_timelimit(int aTimeLimit)
Definition: ldap_backend.cc:149
timelimit
static int timelimit
Definition: ldap_backend.cc:79
userdnattr
static const char * userdnattr
Definition: ldap_backend.cc:61
port
static int port
Definition: ldap_backend.cc:70
noreferrals
static int noreferrals
Definition: ldap_backend.cc:69
ldapconnect
static void ldapconnect(void)
Definition: ldap_backend.cc:349
searchscope
static int searchscope
Definition: ldap_backend.cc:67
size
int size
Definition: ModDevPoll.cc:70
encrpass
static int encrpass
Definition: ldap_backend.cc:66
NULL
#define NULL
Definition: types.h:145
userbasedn
static const char * userbasedn
Definition: ldap_backend.cc:60
PROGRAM_NAME
#define PROGRAM_NAME
Definition: ldap_backend.cc:53
debug_enabled
int debug_enabled
Definition: debug.cc:13
passattr
static const char * passattr
Definition: ldap_backend.cc:58
ldapServer
static char * ldapServer
Definition: ldap_backend.cc:59
getpassword
static char * getpassword(char *login, char *realm)
Definition: ldap_backend.cc:205
version
static int version
Definition: basic_ldap_auth.cc:166
strip_nt_domain
static int strip_nt_domain
Definition: ldap_backend.cc:71
ldap_escape_value
static int ldap_escape_value(char *escaped, int size, const char *src)
Definition: ldap_backend.cc:173
nds_get_password
int nds_get_password(LDAP *ld, char *object_dn, size_t *pwd_len, char *pwd)
Definition: edir_ldapext.cc:497
LDAPHHA1
void LDAPHHA1(RequestData *requestData)
Definition: ldap_backend.cc:693
usersearchfilter
static const char * usersearchfilter
Definition: ldap_backend.cc:62
squid_ldap_set_aliasderef
static void squid_ldap_set_aliasderef(int deref)
Definition: ldap_backend.cc:136
persistent
static int persistent
Definition: ldap_backend.cc:68
bindpasswd
static const char * bindpasswd
Definition: ldap_backend.cc:64
_request_data
Definition: digest_common.h:39
_request_data::realm
char * realm
Definition: digest_common.h:42
aliasderef
static int aliasderef
Definition: ldap_backend.cc:73
connect_timeout
static int connect_timeout
Definition: ldap_backend.cc:78
_request_data::user
char * user
Definition: digest_common.h:41
LDAPArguments
int LDAPArguments(int argc, char **argv)
Definition: ldap_backend.cc:440
squid_ldap_set_connect_timeout
static void squid_ldap_set_connect_timeout(int aTimeLimit)
Definition: ldap_backend.cc:154
ld
static LDAP * ld
Definition: ldap_backend.cc:57
edir_ldapext.h
HASH
char HASH[HASHLEN]
Definition: rfc2617.h:31
DigestCalcHA1
void DigestCalcHA1(const char *pszAlg, const char *pszUserName, const char *pszRealm, const char *pszPassword, const char *pszNonce, const char *pszCNonce, HASH HA1, HASHHEX SessionKey)
Definition: rfc2617.c:88
edir_universal_passwd
static int edir_universal_passwd
Definition: ldap_backend.cc:72

 

Introduction

Documentation

Support

Miscellaneous