#include <freeradius-devel/modules.h>
#include <ldap.h>
+/*
+ * For compatibility with other LDAP libraries
+ */
+#if !defined(LDAP_SCOPE_BASE) && defined(LDAP_SCOPE_BASEOBJECT)
+# define LDAP_SCOPE_BASE LDAP_SCOPE_BASEOBJECT
+#endif
+
+#if !defined(LDAP_SCOPE_ONE) && defined(LDAP_SCOPE_ONELEVEL)
+# define LDAP_SCOPE_ONE LDAP_SCOPE_ONELEVEL
+#endif
+
+#if !defined(LDAP_SCOPE_SUB) && defined(LDAP_SCOPE_SUBTREE)
+# define LDAP_SCOPE_SUB LDAP_SCOPE_SUBTREE
+#endif
+
+#if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
+# define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
+#endif
+
+#ifndef LDAP_CONST
+# define LDAP_CONST
+#endif
+
#define LDAP_MAX_ATTRMAP 128 //!< Maximum number of mappings between LDAP and
//!< FreeRADIUS attributes.
#define LDAP_MAP_RESERVED 4 //!< Number of additional items to allocate in expanded
char const *server; //!< Initial server to bind to.
int is_url; //!< Whether ldap_is_ldap_url says 'server' is an
//!< ldap[s]:// url.
- int port; //!< Port to use when binding to the server.
+ uint16_t port; //!< Port to use when binding to the server.
char const *admin_dn; //!< DN we bind as when we need to query the LDAP
//!< directory.
char const *password; //!< Password used in administrative bind.
- int chase_referrals; //!< If the LDAP server returns a referral to another server
+ char const *dereference_str; //!< When to dereference (never, searching, finding, always)
+ int dereference; //!< libldap value specifying dereferencing behaviour.
+
+ bool chase_referrals; //!< If the LDAP server returns a referral to another server
//!< or point in the tree, follow it, establishing new
//!< connections and binding where necessary.
+ bool chase_referrals_unset; //!< If true, use the OpenLDAP defaults for chase_referrals.
- int rebind; //!< Controls whether we set an ldad_rebind_proc function
+ bool rebind; //!< Controls whether we set an ldad_rebind_proc function
//!< and so determines if we can bind to other servers whilst
//!< chasing referrals. If this is false, we will still chase
//!< referrals on the same server, but won't bind to other
//!< servers.
- int ldap_debug; //!< Debug flag for the SDK.
+ uint32_t ldap_debug; //!< Debug flag for the SDK.
char const *xlat_name; //!< Instance name.
- int expect_password; //!< True if the user_map included a mapping between an LDAP
+ bool expect_password; //!< True if the user_map included a mapping between an LDAP
//!< attribute and one of our password reference attributes.
/*
int userobj_scope; //!< Search scope.
char const *userobj_membership_attr; //!< Attribute that describes groups the user is a member of.
- char *userobj_access_attr; //!< Attribute to check to see if the user should be locked out.
- int access_positive; //!< If true the presence of the attribute will allow access,
+ char const *userobj_access_attr; //!< Attribute to check to see if the user should be locked out.
+ bool access_positive; //!< If true the presence of the attribute will allow access,
//!< else it will deny access.
char const *valuepair_attr; //!< Generic dynamic mapping attribute, contains a RADIUS
char const *groupobj_membership_filter; //!< Filter to only retrieve groups which contain
//!< the user as a member.
- int cacheable_group_name; //!< If true the server will determine complete set of group
+ bool cacheable_group_name; //!< If true the server will determine complete set of group
//!< memberships for the current user object, and perform any
//!< resolution necessary to determine the names of those
//!< groups, then right them to the control list (LDAP-Group).
- int cacheable_group_dn; //!< If true the server will determine complete set of group
+ bool cacheable_group_dn; //!< If true the server will determine complete set of group
//!< memberships for the current user object, and perform any
//!< resolution necessary to determine the DNs of those groups,
//!< then right them to the control list (LDAP-GroupDN).
+ char const *cache_attribute; //!< Sets the attribute we use when creating and retrieving
+ //!< cached group memberships.
+
+ DICT_ATTR const *cache_da; //!< The DA associated with this specific version of the
+ //!< rlm_ldap module.
+
DICT_ATTR const *group_da; //!< The DA associated with this specific version of the
//!< rlm_ldap module.
* TLS code in 3.0.
*/
int tls_mode;
- int start_tls; //!< Send the Start TLS message to the LDAP directory
+ bool start_tls; //!< Send the Start TLS message to the LDAP directory
//!< to start encrypted communications using the standard
//!< LDAP port.
* Options
*/
- int net_timeout; //!< How long we wait for new connections to the LDAP server
+ uint32_t net_timeout; //!< How long we wait for new connections to the LDAP server
//!< to be established.
- int res_timeout; //!< How long we wait for a result from the server.
- int srv_timelimit; //!< How long the server should spent on a single request
+ uint32_t res_timeout; //!< How long we wait for a result from the server.
+ uint32_t srv_timelimit; //!< How long the server should spent on a single request
//!< (also bounded by value on the server).
#ifdef WITH_EDIR
- /*
+ /*
* eDir support
*/
- int edir; //!< If true attempt to retrieve the user's Cleartext password
+ bool edir; //!< If true attempt to retrieve the user's cleartext password
//!< using the Universal Password feature of Novell eDirectory.
bool edir_autz; //!< If true, and we have the Universal Password, bind with it
//!< to perform additional authorisation checks.
* For keep-alives.
*/
#ifdef LDAP_OPT_X_KEEPALIVE_IDLE
- int keepalive_idle; //!< Number of seconds a connections needs to remain idle
+ uint32_t keepalive_idle; //!< Number of seconds a connections needs to remain idle
//!< before TCP starts sending keepalive probes.
#endif
#ifdef LDAP_OPT_X_KEEPALIVE_PROBES
- int keepalive_probes; //!< Number of missed timeouts before the connection is
+ uint32_t keepalive_probes; //!< Number of missed timeouts before the connection is
//!< dropped.
#endif
#ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL
- int keepalive_interval; //!< Interval between keepalive probes.
+ uint32_t keepalive_interval; //!< Interval between keepalive probes.
#endif
} ldap_instance_t;
} rlm_ldap_map_xlat_t;
typedef struct rlm_ldap_result {
- char **values;
- int count;
+ struct berval **values; //!< libldap struct containing bv_val (char *)
+ //!< and length bv_len.
+ int count; //!< Number of values.
} rlm_ldap_result_t;
typedef enum {
#define LDAP_DBG(fmt, ...) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->xlat_name, ##__VA_ARGS__)
#define LDAP_DBG_REQ(fmt, ...) do { if (request) {RDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
+#define LDAP_DBG2(fmt, ...) if (debug_flag >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->xlat_name, ##__VA_ARGS__)
+#define LDAP_DBG_REQ2(fmt, ...) do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (debug_flag >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
+
+#define LDAP_DBG3(fmt, ...) if (debug_flag >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->xlat_name, ##__VA_ARGS__)
+#define LDAP_DBG_REQ3(fmt, ...) do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (debug_flag >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
+
#define LDAP_ERR(fmt, ...) ERROR("rlm_ldap (%s): " fmt, inst->xlat_name, ##__VA_ARGS__)
#define LDAP_ERR_REQ(fmt, ...) do { if (request) {REDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_ERR(fmt, ##__VA_ARGS__);}} while (0)
#define LDAP_EXT() if (extra) LDAP_ERR(extra)
#define LDAP_EXT_REQ() do { if (extra) { if (request) REDEBUG("%s", extra); else LDAP_ERR("%s", extra); }} while (0)
+extern FR_NAME_NUMBER const ldap_scope[];
+extern FR_NAME_NUMBER const ldap_tls_require_cert[];
+
/*
* ldap.c - Wrappers arounds OpenLDAP functions.
*/
ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen);
ldap_rcode_t rlm_ldap_bind(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn,
- char const *password, int retry);
+ char const *password, bool retry);
char const *rlm_ldap_error_str(ldap_handle_t const *conn);
/*
* ldap.c - Callbacks for the connection pool API.
*/
-void *mod_conn_create(void *ctx);
-
-int mod_conn_delete(UNUSED void *instance, void *handle);
+void *mod_conn_create(TALLOC_CTX *ctx, void *instance);
ldap_handle_t *rlm_ldap_get_socket(ldap_instance_t const *inst, REQUEST *request);
rlm_ldap_map_xlat_t const *expanded, LDAPMessage *entry);
rlm_rcode_t rlm_ldap_map_profile(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
- char const *profile, rlm_ldap_map_xlat_t const *expanded);
+ char const *profile, rlm_ldap_map_xlat_t const *expanded);
/*
* clients.c - Dynamic clients (bulk load).
/*
* edir.c - Magic extensions for Novell
*/
-#ifdef WITH_EDIR
int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *len);
-#endif
+
+char const *edir_errstr(int code);
#endif