-/*
- * These functions implement the portions of AUTHMODE_LDAP and AUTHMODE_LDAP_AD which
- * actually speak to the LDAP server.
- *
- * Copyright (c) 2011-2017 by the citadel.org development team.
- *
- * This program is open source software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License, version 3.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- */
+// These functions implement the portions of AUTHMODE_LDAP and AUTHMODE_LDAP_AD which
+// actually speak to the LDAP server.
+//
+// Copyright (c) 2011-2022 by the citadel.org development team.
+//
+// This program is open source software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License, version 3.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
int ctdl_require_ldap_version = 3;
#include "user_ops.h"
#include "internet_addressing.h"
#include "config.h"
-
-#ifdef HAVE_LDAP
-#define LDAP_DEPRECATED 1 // Suppress libldap's warning that we are using deprecated API calls
#include <ldap.h>
-/*
- * Utility function, supply a search result and get back the fullname (display name, common name, etc) from the first result
- */
-void derive_fullname_from_ldap_result(char *fullname, int fullname_size, LDAP *ldserver, LDAPMessage *search_result)
-{
+// Utility function, supply a search result and get back the fullname (display name, common name, etc) from the first result
+void derive_fullname_from_ldap_result(char *fullname, int fullname_size, LDAP *ldserver, LDAPMessage *search_result) {
char **values;
if (fullname == NULL) return;
+ if (search_result == NULL) return;
+ if (ldserver == NULL) return;
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
values = ldap_get_values(ldserver, search_result, "displayName");
ldap_value_free(values);
}
}
- syslog(LOG_DEBUG, "\033[31mldap: display name: <%s> \033[0m", fullname);
}
-/*
- * Utility function, supply a search result and get back the uid from the first result
- */
-uid_t derive_uid_from_ldap(LDAP *ldserver, LDAPMessage *entry)
-{
- char **values;
+// Utility function, supply a search result and get back the uid from the first result
+uid_t derive_uid_from_ldap(LDAP *ldserver, LDAPMessage *entry) {
+ struct berval **values;
uid_t uid = (-1);
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
- values = ldap_get_values(ldserver, entry, "objectGUID"); // AD schema: uid hashed from objectGUID
+ values = ldap_get_values_len(ldserver, entry, "objectGUID"); // AD schema: uid hashed from objectGUID
if (values) {
- if (values[0]) {
- uid = abs(HashLittle(values[0], strlen(values[0])));
+ if (ldap_count_values_len(values) > 0) {
+ uid = abs(HashLittle(values[0]->bv_val, values[0]->bv_len));
}
- ldap_value_free(values);
+ ldap_value_free(Xvalues);
}
}
else {
- values = ldap_get_values(ldserver, entry, "uidNumber"); // POSIX schema: uid = uidNumber
+ values = ldap_get_values_len(ldserver, entry, "uidNumber"); // POSIX schema: uid = uidNumber
if (values) {
- if (values[0]) {
- uid = atoi(values[0]);
+ if (ldap_count_values_len(values) > 0) {
+ uid = atoi(values[0]->bv_val);
}
- ldap_value_free(values);
+ ldap_value_free_len(values);
}
}
- syslog(LOG_DEBUG, "\033[31mldap: uid: <%d> \033[0m", uid);
+ syslog(LOG_DEBUG, "ldap: uid = %d", uid);
return(uid);
}
-
-
-/*
- * Wrapper function for ldap_initialize() that consistently fills in the correct fields
- */
+// Wrapper function for ldap_initialize() that consistently fills in the correct fields
int ctdl_ldap_initialize(LDAP **ld) {
char server_url[256];
}
-/*
- * Look up a user in the directory to see if this is an account that can be authenticated
- */
-int CtdlTryUserLDAP(char *username,
- char *found_dn, int found_dn_size,
- char *fullname, int fullname_size,
- uid_t *uid, int lookup_based_on_username)
-{
+// Bind to the LDAP server and return a working handle
+LDAP *ctdl_ldap_bind(void) {
LDAP *ldserver = NULL;
int i;
- LDAPMessage *search_result = NULL;
- LDAPMessage *entry = NULL;
- char searchstring[1024];
- struct timeval tv;
- char *user_dn = NULL;
-
- if (fullname) safestrncpy(fullname, username, fullname_size);
if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
- return(errno);
+ return(NULL);
}
ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
- syslog(LOG_DEBUG, "ldap: bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
i = ldap_simple_bind_s(ldserver,
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
);
if (i != LDAP_SUCCESS) {
syslog(LOG_ERR, "ldap: Cannot bind: %s (%d)", ldap_err2string(i), i);
- return(i);
+ return(NULL);
}
+ return(ldserver);
+}
+
+
+// Look up a user in the directory to see if this is an account that can be authenticated
+int CtdlTryUserLDAP(char *username, char *found_dn, int found_dn_size, char *fullname, int fullname_size, uid_t *uid) {
+ LDAP *ldserver = NULL;
+ LDAPMessage *search_result = NULL;
+ LDAPMessage *entry = NULL;
+ char searchstring[1024];
+ struct timeval tv;
+ char *user_dn = NULL;
+
+ ldserver = ctdl_ldap_bind();
+ if (!ldserver) return(-1);
+
+ if (fullname) safestrncpy(fullname, username, fullname_size);
tv.tv_sec = 10;
tv.tv_usec = 0;
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
- if (lookup_based_on_username != 0)
- snprintf(searchstring, sizeof(searchstring), "(displayName=%s)",username);
- else
- snprintf(searchstring, sizeof(searchstring), "(sAMAccountName=%s)", username);
+ snprintf(searchstring, sizeof(searchstring), "(sAMAccountName=%s)", username);
}
else {
- if (lookup_based_on_username != 0) {
- snprintf(searchstring, sizeof(searchstring), "(cn=%s)",username);
- }
- else {
- snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(uid=%s))", username);
- }
+ snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(cn=%s))", username);
+ // snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(uid=%s))", username);
}
syslog(LOG_DEBUG, "ldap: search: %s", searchstring);
- (void) ldap_search_ext_s(
- ldserver, /* ld */
- CtdlGetConfigStr("c_ldap_base_dn"), /* base */
- LDAP_SCOPE_SUBTREE, /* scope */
- searchstring, /* filter */
- NULL, /* attrs (all attributes) */
- 0, /* attrsonly (attrs + values) */
- NULL, /* serverctrls (none) */
- NULL, /* clientctrls (none) */
- &tv, /* timeout */
- 1, /* sizelimit (1 result max) */
- &search_result /* res */
- );
+ syslog(LOG_DEBUG, "ldap: search results: %s", ldap_err2string(ldap_search_ext_s(
+ ldserver, // ld
+ CtdlGetConfigStr("c_ldap_base_dn"), // base
+ LDAP_SCOPE_SUBTREE, // scope
+ searchstring, // filter
+ NULL, // attrs (all attributes)
+ 0, // attrsonly (attrs + values)
+ NULL, // serverctrls (none)
+ NULL, // clientctrls (none)
+ &tv, // timeout
+ 1, // sizelimit (1 result max)
+ &search_result // res
+ )));
- /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
- * the search succeeds. Instead, we check to see whether search_result is still NULL.
- */
+ // Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
+ // the search succeeds. Instead, we check to see whether search_result is still NULL.
if (search_result == NULL) {
syslog(LOG_DEBUG, "ldap: zero search results were returned");
ldap_unbind(ldserver);
return(2);
}
- /* At this point we've got at least one result from our query. If there are multiple
- * results, we still only look at the first one.
- */
+ // At this point we've got at least one result from our query. If there are multiple
+ // results, we still only look at the first one.
entry = ldap_first_entry(ldserver, search_result);
if (entry) {
}
derive_fullname_from_ldap_result(fullname, fullname_size, ldserver, search_result);
-
- /* If we know the username is the CN/displayName, we already set the uid*/
- // FIXME old skool crap , fix this
- if (lookup_based_on_username == 0) {
- *uid = derive_uid_from_ldap(ldserver, search_result);
- }
+ *uid = derive_uid_from_ldap(ldserver, search_result);
}
- /* free the results */
+ // free the results
ldap_msgfree(search_result);
- /* unbind so we can go back in as the authenticating user */
+ // unbind so we can go back in as the authenticating user
ldap_unbind(ldserver);
if (!user_dn) {
}
-int CtdlTryPasswordLDAP(char *user_dn, const char *password)
-{
+int CtdlTryPasswordLDAP(char *user_dn, const char *password) {
LDAP *ldserver = NULL;
int i = (-1);
}
-/*
- * Learn LDAP attributes and stuff them into the vCard.
- * Returns nonzero if we changed anything.
- */
-int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
-{
+// Learn LDAP attributes and stuff them into the vCard.
+// Returns nonzero if we changed anything.
+int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v) {
int changed_something = 0;
LDAP *ldserver = NULL;
- int i;
struct timeval tv;
LDAPMessage *search_result = NULL;
LDAPMessage *entry = NULL;
if (!ldap_dn) return(0);
if (!v) return(0);
- if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
- return(0);
- }
-
- ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
- ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
-
- striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
- striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
- syslog(LOG_DEBUG, "ldap: bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
- i = ldap_simple_bind_s(ldserver,
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
- );
- if (i != LDAP_SUCCESS) {
- syslog(LOG_ERR, "ldap: Cannot bind: %s (%d)", ldap_err2string(i), i);
- return(0);
- }
+ ldserver = ctdl_ldap_bind();
+ if (!ldserver) return(-1);
tv.tv_sec = 10;
tv.tv_usec = 0;
syslog(LOG_DEBUG, "ldap: search: %s", ldap_dn);
- (void) ldap_search_ext_s(
+ syslog(LOG_DEBUG, "ldap: search results: %s", ldap_err2string(ldap_search_ext_s(
ldserver, // ld
ldap_dn, // base
LDAP_SCOPE_SUBTREE, // scope
&tv, // timeout
1, // sizelimit (1 result max)
&search_result // res
- );
+ )));
- /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
- * the search succeeds. Instead, we check to see whether search_result is still NULL.
- */
+ // Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
+ // the search succeeds. Instead, we check to see whether search_result is still NULL.
if (search_result == NULL) {
syslog(LOG_DEBUG, "ldap: zero search results were returned");
ldap_unbind(ldserver);
return(0);
}
- /* At this point we've got at least one result from our query. If there are multiple
- * results, we still only look at the first one.
- */
+ // At this point we've got at least one result from our query. If there are multiple
+ // results, we still only look at the first one.
entry = ldap_first_entry(ldserver, search_result);
if (entry) {
syslog(LOG_DEBUG, "ldap: search got user details for vcard.");
if (title) ldap_value_free(title);
if (uuid) ldap_value_free(uuid);
}
- /* free the results */
+ // free the results
ldap_msgfree(search_result);
- /* unbind so we can go back in as the authenticating user */
+ // unbind so we can go back in as the authenticating user
ldap_unbind(ldserver);
- return(changed_something); /* tell the caller whether we made any changes */
+ return(changed_something); // tell the caller whether we made any changes
}
-/*
- * Extract a user's Internet email addresses from LDAP.
- * Returns zero if we got a valid set of addresses; nonzero for error.
- */
-int extract_email_addresses_from_ldap(char *ldap_dn, char *emailaddrs)
-{
+// Extract a user's Internet email addresses from LDAP.
+// Returns zero if we got a valid set of addresses; nonzero for error.
+int extract_email_addresses_from_ldap(char *ldap_dn, char *emailaddrs) {
LDAP *ldserver = NULL;
- int i;
struct timeval tv;
LDAPMessage *search_result = NULL;
LDAPMessage *entry = NULL;
if (!ldap_dn) return(1);
if (!emailaddrs) return(1);
- if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
- return(2);
- }
-
- ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
- ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
-
- striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
- striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
- syslog(LOG_DEBUG, "ldap: bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
- i = ldap_simple_bind_s(ldserver,
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
- );
- if (i != LDAP_SUCCESS) {
- syslog(LOG_ERR, "ldap: Cannot bind: %s (%d)", ldap_err2string(i), i);
- return(3);
- }
+ ldserver = ctdl_ldap_bind();
+ if (!ldserver) return(-1);
tv.tv_sec = 10;
tv.tv_usec = 0;
syslog(LOG_DEBUG, "ldap: search: %s", ldap_dn);
- (void) ldap_search_ext_s(
+ syslog(LOG_DEBUG, "ldap: search results: %s", ldap_err2string(ldap_search_ext_s(
ldserver, // ld
ldap_dn, // base
LDAP_SCOPE_SUBTREE, // scope
&tv, // timeout
1, // sizelimit (1 result max)
&search_result // res
- );
+ )));
- /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
- * the search succeeds. Instead, we check to see whether search_result is still NULL.
- */
+ // Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
+ // the search succeeds. Instead, we check to see whether search_result is still NULL.
if (search_result == NULL) {
syslog(LOG_DEBUG, "ldap: zero search results were returned");
ldap_unbind(ldserver);
return(4);
}
- /* At this point we've got at least one result from our query. If there are multiple
- * results, we still only look at the first one.
- */
- emailaddrs[0] = 0; /* clear out any previous results */
+ // At this point we've got at least one result from our query. If there are multiple
+ // results, we still only look at the first one.
+ emailaddrs[0] = 0; // clear out any previous results
entry = ldap_first_entry(ldserver, search_result);
if (entry) {
syslog(LOG_DEBUG, "ldap: search got user details");
- mail=ldap_get_values(ldserver, search_result, "mail");
+ mail = ldap_get_values(ldserver, search_result, "mail");
if (mail) {
int q;
for (q=0; q<ldap_count_values(mail); ++q) {
if (IsDirectory(mail[q], 0)) {
- syslog(LOG_DEBUG, "\035FIXME YES DIRECTORY %s\033[0m", mail[q]);
if ((strlen(emailaddrs) + strlen(mail[q]) + 2) > 512) {
syslog(LOG_ERR, "ldap: can't fit all email addresses into user record");
}
}
}
- /* free the results */
+ // free the results
ldap_msgfree(search_result);
- /* unbind so we can go back in as the authenticating user */
+ // unbind so we can go back in as the authenticating user
ldap_unbind(ldserver);
return(0);
}
-/*
- * Scan LDAP for users and populate Citadel's user database with everyone
- */
-void CtdlSynchronizeUsersFromLDAP(void)
-{
+// Scan LDAP for users and populate Citadel's user database with everyone
+void CtdlSynchronizeUsersFromLDAP(void) {
LDAP *ldserver = NULL;
- int i;
LDAPMessage *search_result = NULL;
LDAPMessage *entry = NULL;
char *user_dn = NULL;
struct timeval tv;
if ((CtdlGetConfigInt("c_auth_mode") != AUTHMODE_LDAP) && (CtdlGetConfigInt("c_auth_mode") != AUTHMODE_LDAP_AD)) {
- return; // not running LDAP
+ return; // not running LDAP
}
syslog(LOG_INFO, "ldap: synchronizing Citadel user database from LDAP");
- if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
- return;
- }
-
- ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
- ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
-
- striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
- striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
- syslog(LOG_DEBUG, "ldap: bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
- i = ldap_simple_bind_s(ldserver,
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
- (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
- );
- if (i != LDAP_SUCCESS) {
- syslog(LOG_ERR, "ldap: Cannot bind: %s (%d)", ldap_err2string(i), i);
- return;
- }
+ ldserver = ctdl_ldap_bind();
+ if (!ldserver) return;
tv.tv_sec = 10;
tv.tv_usec = 0;
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
snprintf(searchstring, sizeof(searchstring), "(&(objectClass=user)(objectClass=person)(!(objectClass=computer)))");
- } else {
+ }
+ else {
snprintf(searchstring, sizeof(searchstring), "(objectClass=inetOrgPerson)");
}
syslog(LOG_DEBUG, "ldap: search: %s", searchstring);
- (void) ldap_search_ext_s(
+ syslog(LOG_DEBUG, "ldap: search results: %s", ldap_err2string(ldap_search_ext_s(
ldserver, // ld
CtdlGetConfigStr("c_ldap_base_dn"), // base
LDAP_SCOPE_SUBTREE, // scope
&tv, // timeout
INT_MAX, // sizelimit (max)
&search_result // result
- );
+ )));
- /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
- * the search succeeds. Instead, we check to see whether search_result is still NULL.
- */
+ // Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
+ // the search succeeds. Instead, we check to see whether search_result is still NULL.
if (search_result == NULL) {
syslog(LOG_DEBUG, "ldap: zero search results were returned");
ldap_unbind(ldserver);
}
syslog(LOG_DEBUG, "ldap: %d entries returned", ldap_count_entries(ldserver, search_result));
- entry = ldap_first_entry(ldserver, search_result);
- while (entry) {
-
+ for (entry=ldap_first_entry(ldserver, search_result); entry!=NULL; entry=ldap_next_entry(ldserver, entry)) {
user_dn = ldap_get_dn(ldserver, entry);
if (user_dn) {
syslog(LOG_DEBUG, "ldap: found %s", user_dn);
int fullname_size = 256;
char fullname[256] = { 0 } ;
uid_t uid = (-1);
+ char new_emailaddrs[512] = { 0 } ;
- derive_fullname_from_ldap_result(fullname, fullname_size, ldserver, entry);
uid = derive_uid_from_ldap(ldserver, entry);
- syslog(LOG_DEBUG, "\033[33mldap: display name: <%s> , uid = <%d>\033[0m", fullname, uid);
+ derive_fullname_from_ldap_result(fullname, fullname_size, ldserver, entry);
+ syslog(LOG_DEBUG, "ldap: display name: <%s> , uid = <%d>", fullname, uid);
- // FIXME now create or update the user
+ // now create or update the user
+ int found_user;
+ struct ctdluser usbuf;
+ found_user = getuserbyuid(&usbuf, uid);
+ if (found_user != 0) {
+ create_user(fullname, CREATE_USER_DO_NOT_BECOME_USER, uid);
+ found_user = getuserbyuid(&usbuf, uid);
+ strcpy(fullname, usbuf.fullname);
+ }
+ if (found_user == 0) { // user record exists
+ // now update the account email addresses if necessary
+ if (CtdlGetConfigInt("c_ldap_sync_email_addrs") > 0) {
+ if (extract_email_addresses_from_ldap(user_dn, new_emailaddrs) == 0) {
+ if (strcmp(usbuf.emailaddrs, new_emailaddrs)) { // update only if changed
+ CtdlSetEmailAddressesForUser(usbuf.fullname, new_emailaddrs);
+ }
+ }
+ }
+ }
+ ldap_memfree(user_dn);
}
-
- entry = ldap_next_entry(ldserver, entry);
}
- /* free the results */
+ // free the results
ldap_msgfree(search_result);
- /* unbind so we can go back in as the authenticating user */
+ // unbind so we can go back in as the authenticating user
ldap_unbind(ldserver);
}
-
-#endif /* HAVE_LDAP */