- * This module is based on LDAP patch to Cistron radiusd by James Golovich
- * <james@wwnet.net>, which in turn was based mostly on a Mysql+Cistron patch
- * from <oyarzun@wilmington.net>
- *
- * 17 Jan 2000, Adrian Pavlykevych <pam@polynet.lviv.ua>
- * - OpenLDAP SDK porting, basic TLS support, LDAP authorization,
- * fault tolerance with multiple LDAP server support
- * 24 May 2000, Adrian Pavlykevych <pam@polynet.lviv.ua>
- * - Converting to new configuration file format, futher improvements
- * in fault tolerance, threaded operation
- * 12 Dec 2000, Adrian Pavlykevych <pam@polynet.lviv.ua>
- * - Added preliminary support for multiple instances
- * - moved all instance configuration into dynamicly allocated structure
- * - Removed connection maintenance thread and all attempts for multihreading
- * the module itself. OpenLDAP SDK is not thread safe when used with shared
- * LDAP connection.
- * - Added configuration option for defining LDAP attribute of user object,
- * which controls remote access.
- * 16 Feb 2001, Hannu Laurila <hannu.laurila@japo.fi>
- * - LDAP<->RADIUS attribute mappings are now read from a file
- * - Support for generic RADIUS check and reply attribute.
- * Jun 2001, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Fix: check and reply attributes from LDAP _replace_ existing ones
- * - Added "default_profile" directive, which points to radiusProfile
- * object, which contains default values for RADIUS users
- * - Added "profile_attribute" directive, which specifies user object
- * attribute pointing to radiusProfile object.
- * Nov 2001, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Added support for adding the user password to the check. Based on
- * the password_header directive rlm_ldap will strip the
- * password header if needed. This will make support for CHAP much easier.
- * - Added module messages when we reject a user.
- * - Added ldap_groupcmp to allow searching for user group membership.
- * - Added ldap_xlat to allow ldap urls in xlat strings. Something like:
- * %{ldap:ldap:///dc=company,dc=com?cn?sub?uid=user}
- * Nov 2001, Gordon Tetlow <gordont@gnf.org>
- * - Do an xlat on the access_group attribute.
- * Dec 2001, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Added ldap caching for the default/regular profiles and group entries.
- * - Fixed a memory leak in ldap_xlat.
- * - Removed dict_attrbyname from ldap_pairget. They are not needed.
- * - Moved the radius_xlat's for filter and basedn in ldap_authenticate() to
- * the right place.
- * - Made the module thread safe. We create a connection pool and each thread
- * will call ldap_get_conn to lock one of the ldap connections and release with
- * a call to ldap_release_conn when it has finished.
- * - Request only the user attributes that interest us (radius attributes,regular
- * profile,user password and access attribute).
- * Mar 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Fixed a bug where the ldap server will kill the idle connections from the ldap
- * connection pool. We now check if ldap_search returns LDAP_SERVER_DOWN and try to
- * reconnect if it does. Bug noted by Dan Perik <dan_perik-work@ntm.org.pg>
- * May 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Instead of the Group attribute we now have the Ldap-Group attribute, to avoid
- * collisions with other modules
- * - If perform_search fails check the ld != NULL before using it. Based on a bug report
- * by John <jhogenmiller@pennswoods.net>
- * Jun 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add the ability to do a paircmp on the check items. Add a compare_check_items boolean
- * configuration directive which defaults to no. If it is set then we will do a compare
- * - Add another configuration directive. access_attr_used_for_allow. If it is set to yes
- * then the access_attr will be used to allow user access. If it is set to no then it will
- * be used to deny user access.
- * - Remember to free inst->atts in ldap_detach()
- * - Add a forgotten ldap_free_urldesc in ldap_xlat()
- * - Add a variable locked in the LDAP_CONN structure. We use this to avoid deadlocks. The mutex
- * we are using is of type fast and can deadlock if the same thread tries to relock it. That
- * could happen in case of calls to xlat.
- * - When ldap_search returns NO_SUCH_OBJECT don't return fail but notfound
- * Jul 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Fix the logic when we get an LDAP_SERVER_DOWN or we have conn->ld == NULL in perform_search
- * - Try to minimize the penalty of having the ldap server go down. The comments before
- * MAX_FAILED_CONNS_* definitions should explain things.
- * - Check for a number of error codes from ldap_search and log corresponding error messages
- * We should only reconnect when that can help things.
- * - In ldap_groupcmp instead of first searching for the group object and then checking user
- * group membership combine them in one ldap search operation. That should make group
- * membership checks a lot faster.
- * - Remember to do ldap_release_conn and ldap_msgfree when we do paircmp and the result is reject
- * Aug 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add support for group membership attribute inside the user entry in ldap_groupcmp. The attribute
- * can either contain the name or the DN of the group. Added the groupmembership_attribute
- * configuration directive
- * - Move the ldap_{get,release}_conn in ldap_groupcmp so that we hold a connection for the minimum time.
- * - Now that ldap_groupcmp is complete we really don't need access_group. Removed it.
- * - Remember to free groupmembership_attribute in ldap_detach
- * - Don't delete existing generic attributes in ldap_pairget when adding new ones. Since generic attributes
- * have operators we don't need to try to be cleaver.
- * Sep 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Fix a crash in ldap_pairget when the attribute value is larger than the buffer size
- * Bug report by Stefan Radovanovici <sra@rtsffm.com>
- * - If we add a check item then use the == operator. Based on an idea by Allister Maguire <amaguire@gnc.net.nz>
- * - Only add a failure message for bind as user failed in ldap_authenticate if the result of ldap_connect was
- * RLM_MODULE_REJECT
- * - Make tls_mode a configurable option. Patch from John <jhogenmiller@pennswoods.net>
- * - Allow multiple regular profiles for an entry
- * Oct 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Disable cache after searching for the default profile
- * - Use the MAX_FAILED_CONNS_* in ldap_authenticate() when calling ldap_connect()
- * Nov 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Set LDAP version to V3 before binding. Now freeradius should work with openldap21
- * Dec 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Set default values for the server and basedn parameters
- * Feb 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add support for ldap_initialize. That way we can specify the server as an ldap url.
- * Based on ideas from Derrik Pates <dpates@dsdk12.net>
- * Mar 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add an ldap_escape_func. Escape the * character from the filter so that we can avoid
- * the trivial DoS of username=*
- * - Remove the caching code. It does not exist in openldap21.
- * Based on a report from Mike Denka <mdenk@whidbey.net>
- * May 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Don't do a double free on the attribute maps. Bug noted by Derrik Pates <dpates@dsdk12.net>
- * - Apply a patch from Alexander M. Pravking <fduch@antar.bryansk.ru> to do an xlat on the
- * retrieved attributes.
- * Aug 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - In case of a bad search filter, print out the corresponding filter
- * Sep 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Compile even if we don't have pthread's
- * Oct 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add a new configuration directive, base_filter which is used for base scope searches
- * (When searching for the default/regular profiles for example)
- * Nov 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add a new configuration directive, do_xlat (default: yes). If set we use pairxlatmove
- * on the radius attributes, else we fall back to the plain old pairadd. That way people
- * can fall back on the 0.8.1 behaviour without making changes to their ldap database or
- * gain a little performance by not using pairxlatmove
- * Dec 2003, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - Add a patch from Jon Miner <miner@doit.wisc.edu> to add the ability to configure
- * various LDAP TLS options
- * - Only call pairfree if we are using pairxlatmove not for pairadd
- * Mar 2004, Kostas Kalevras <kkalev@noc.ntua.gr>
- * - If we are passed an empty password log a module failure message not an error message
- * Apr 2004, Kostas Kalveras <kkalev@noc.ntua.gr>
- * - Add a patch from Tarun Bhushan <tarun.bhushan@macquarie.com> to add a tls_mode boolean
- * directive so that we can enable TLS connetions even if port is not set to 636
- * - Add an error message if ldap_initialize() is not available and we are passed a URL like
- * 'server' directive.
- * - Add a per instance Ldap-Group attribute (of the form <instance>-Ldap-Group) and register
- * a corresponding ldap_groupcmp function
- * - Small change to ldap_get_conn to fix problems on some platforms