char *tls_randfile;
char *tls_require_cert;
#ifdef NOVELL
-- int edir_account_policy_check;
++ int edir_account_policy_check;
#endif
- int set_auth_type;
-} ldap_instance;
++ int set_auth_type;
+} ldap_instance;
/* The default setting for TLS Certificate Verification */
#define TLS_DEFAULT_VERIFY "allow"
-static CONF_PARSER module_config[] = {
- {"server", PW_TYPE_STRING_PTR, offsetof(ldap_instance,server), NULL, "localhost"},
- {"port", PW_TYPE_INTEGER, offsetof(ldap_instance,port), NULL, "389"},
+static CONF_PARSER tls_config[] = {
+ {"start_tls", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,start_tls), NULL, "no"},
+ {"cacertfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_cacertfile), NULL, NULL},
+ {"cacertdir", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_cacertdir), NULL, NULL},
+ {"certfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_certfile), NULL, NULL},
+ {"keyfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_keyfile), NULL, NULL},
+ {"randfile", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
+ offsetof(ldap_instance,tls_randfile), NULL, NULL},
+ {"require_cert", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,tls_require_cert), NULL, TLS_DEFAULT_VERIFY},
+ { NULL, -1, 0, NULL, NULL }
+};
+
+static const CONF_PARSER module_config[] = {
+ {"server", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,server), NULL, "localhost"},
+ {"port", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,port), NULL, "389"},
+ {"password", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,password), NULL, ""},
+ {"identity", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,login), NULL, ""},
+
+ /*
+ * Timeouts & stuff.
+ */
/* wait forever on network activity */
- {"net_timeout", PW_TYPE_INTEGER, offsetof(ldap_instance,net_timeout.tv_sec), NULL, "10"},
+ {"net_timeout", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,net_timeout.tv_sec), NULL, "10"},
/* wait forever for search results */
- {"timeout", PW_TYPE_INTEGER, offsetof(ldap_instance,timeout.tv_sec), NULL, "20"},
+ {"timeout", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,timeout.tv_sec), NULL, "20"},
/* allow server unlimited time for search (server-side limit) */
- {"timelimit", PW_TYPE_INTEGER, offsetof(ldap_instance,timelimit), NULL, "20"},
- {"identity", PW_TYPE_STRING_PTR, offsetof(ldap_instance,login), NULL, ""},
- {"tls_mode", PW_TYPE_BOOLEAN, offsetof(ldap_instance,tls_mode), NULL, "no"},
- {"start_tls", PW_TYPE_BOOLEAN, offsetof(ldap_instance,start_tls), NULL, "no"},
- {"tls_cacertfile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_cacertfile), NULL, NULL},
- {"tls_cacertdir", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_cacertdir), NULL, NULL},
- {"tls_certfile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_certfile), NULL, NULL},
- {"tls_keyfile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_keyfile), NULL, NULL},
- {"tls_randfile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_randfile), NULL, NULL},
- {"tls_require_cert", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_require_cert), NULL, TLS_DEFAULT_VERIFY},
- {"password", PW_TYPE_STRING_PTR, offsetof(ldap_instance,password), NULL, ""},
- {"basedn", PW_TYPE_STRING_PTR, offsetof(ldap_instance,basedn), NULL, "o=notexist"},
- {"filter", PW_TYPE_STRING_PTR, offsetof(ldap_instance,filter), NULL, "(uid=%u)"},
- {"base_filter", PW_TYPE_STRING_PTR, offsetof(ldap_instance,base_filter), NULL, "(objectclass=radiusprofile)"},
- {"default_profile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,default_profile), NULL, NULL},
- {"profile_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,profile_attr), NULL, NULL},
- {"password_header", PW_TYPE_STRING_PTR, offsetof(ldap_instance,passwd_hdr), NULL, NULL},
- {"password_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,passwd_attr), NULL, NULL},
+ {"timelimit", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,timelimit), NULL, "20"},
+
+ /*
+ * TLS configuration The first few are here for backwards
+ * compatibility. The last is the new subsection.
+ */
+ {"tls_mode", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,tls_mode), NULL, "no"},
+
+ {"start_tls", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,start_tls), NULL, "no"},
+ {"tls_cacertfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_cacertfile), NULL, NULL},
+ {"tls_cacertdir", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_cacertdir), NULL, NULL},
+ {"tls_certfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_certfile), NULL, NULL},
+ {"tls_keyfile", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,tls_keyfile), NULL, NULL},
+ {"tls_randfile", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
+ offsetof(ldap_instance,tls_randfile), NULL, NULL},
+ {"tls_require_cert", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,tls_require_cert), NULL, TLS_DEFAULT_VERIFY},
+ { "tls", PW_TYPE_SUBSECTION, 0, NULL, (const void *) tls_config },
+
+ /*
+ * DN's and filters.
+ */
+ {"basedn", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,basedn), NULL, "o=notexist"},
+ {"filter", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,filter), NULL, "(uid=%u)"},
+ {"base_filter", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,base_filter), NULL, "(objectclass=radiusprofile)"},
+ {"default_profile", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,default_profile), NULL, NULL},
+ {"profile_attribute", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,profile_attr), NULL, NULL},
+
+ /*
+ * Getting passwords from the database
+ */
+ {"password_header", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,passwd_hdr), NULL, NULL},
+ {"password_attribute", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,passwd_attr), NULL, NULL},
+ {"auto_header", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,auto_header), NULL, "no"},
+
+ /*
+ * Access limitations
+ */
/* LDAP attribute name that controls remote access */
- {"access_attr", PW_TYPE_STRING_PTR, offsetof(ldap_instance,access_attr), NULL, NULL},
+ {"access_attr", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,access_attr), NULL, NULL},
+ {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,default_allow), NULL, "yes"},
+
+ /*
+ * Group checks. These could probably be done
+ * via dynamic xlat's.
+ */
+ {"groupname_attribute", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,groupname_attr), NULL, "cn"},
+ {"groupmembership_filter", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"},
+ {"groupmembership_attribute", PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,groupmemb_attr), NULL, NULL},
+
/* file with mapping between LDAP and RADIUS attributes */
- {"groupname_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,groupname_attr), NULL, "cn"},
- {"groupmembership_filter", PW_TYPE_STRING_PTR, offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"},
- {"groupmembership_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,groupmemb_attr), NULL, NULL},
- {"dictionary_mapping", PW_TYPE_STRING_PTR, offsetof(ldap_instance,dictionary_mapping), NULL, "${confdir}/ldap.attrmap"},
- {"ldap_debug", PW_TYPE_INTEGER, offsetof(ldap_instance,ldap_debug), NULL, "0x0000"},
- {"ldap_connections_number", PW_TYPE_INTEGER, offsetof(ldap_instance,num_conns), NULL, "5"},
- {"compare_check_items", PW_TYPE_BOOLEAN, offsetof(ldap_instance,do_comp), NULL, "no"},
- {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"},
- {"do_xlat", PW_TYPE_BOOLEAN, offsetof(ldap_instance,do_xlat), NULL, "yes"},
+ {"dictionary_mapping", PW_TYPE_FILENAME,
+ offsetof(ldap_instance,dictionary_mapping), NULL, "${confdir}/ldap.attrmap"},
+
+ /*
+ * Debugging flags to the server
+ */
+ {"ldap_debug", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,ldap_debug), NULL, "0x0000"},
+ {"ldap_connections_number", PW_TYPE_INTEGER,
+ offsetof(ldap_instance,num_conns), NULL, "5"},
+ {"compare_check_items", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,do_comp), NULL, "no"},
+ {"do_xlat", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,do_xlat), NULL, "yes"},
+
#ifdef NOVELL
- {"edir_account_policy_check", PW_TYPE_BOOLEAN, offsetof(ldap_instance,edir_account_policy_check), NULL, "yes"},
+ /*
+ * Novell magic.
+ */
+ {"edir_account_policy_check", PW_TYPE_BOOLEAN,
+ offsetof(ldap_instance,edir_account_policy_check), NULL, "yes"},
#endif
+ {"set_auth_type", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_auth_type), NULL, "yes"},
{NULL, -1, 0, NULL, NULL}
};
DEBUG("rlm_ldap: Registering ldap_xlat with xlat_name %s",xlat_name);
xlat_register(xlat_name,ldap_xlat,inst);
- dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
- if (!dv) {
- if (inst->set_auth_type) {
+ /*
+ * Over-ride set_auth_type if there's no Auth-Type of our name.
+ * This automagically catches the case where LDAP is listed
+ * in "authorize", but not "authenticate".
+ */
- inst->set_auth_type = 0;
- }
++ if (inst->set_auth_type) {
++ DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
++ if (!dv) {
+ DEBUG2("rlm_ldap: Over-riding set_auth_type, as we're not listed in the \"authenticate\" section.");
++ inst->set_auth_type = 0;
+ }
++ } /* else no need to look up the value */
+
#ifdef NOVELL
/*
- * (LDAP_Instance, V1) attribute-value pair in the config items list means
- * that the 'authorize' method of the instance 'V1' of the LDAP module has
- * processed this request.
+ * (LDAP_Instance, V1) attribute-value pair in the config
+ * items list means that the 'authorize' method of the
+ * instance 'V1' of the LDAP module has processed this
+ * request.
*/
dict_addattr("LDAP-Instance", 0, PW_TYPE_STRING, -1, flags);
+
/*
- * ('eDir-APC', '1') in config items list => Do not perform eDirectory account
- * policy check (APC)
- * ('eDir-APC', '2') in config items list => Perform eDirectory APC
- * ('eDir-APC', '3') in config items list => eDirectory APC has been completed
+ * ('eDir-APC', '1') in config items list
+ * Do not perform eDirectory account policy check (APC)
+ *
+ * ('eDir-APC', '2') in config items list
+ * Perform eDirectory APC
+ *
+ * ('eDir-APC', '3') in config items list
+ * eDirectory APC has been completed
*/
dict_addattr("eDir-APC", 0, PW_TYPE_INTEGER, -1, flags);
#endif
/*
* Module should default to LDAP authentication if no Auth-Type
- * specified
+ * specified. Note that we do this ONLY if configured, AND we
+ * set the Auth-Type to our module name, which allows multiple
+ * ldap instances to work.
*/
- if ((pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
+ if (inst->set_auth_type &&
+ (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
request->password &&
(request->password->attribute == PW_USER_PASSWORD))
- pairadd(check_pairs, pairmake("Auth-Type", "LDAP", T_OP_EQ));
-
+ pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
DEBUG("rlm_ldap: user %s authorized to use remote access",
- request->username->strvalue);
+ request->username->vp_strvalue);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst->conns);