X-Git-Url: https://code.citadel.org/?a=blobdiff_plain;f=citadel%2Fldap.c;h=9d280186487556576427f29861f72846533a586b;hb=19425c9d96e47042a82935ae65ba53981003223f;hp=06f894f7dab3fcb5f1c8b17ec0040afeb1e86972;hpb=e4e565f82dfc9d41f03192eb23143f31c1921c7a;p=citadel.git

diff --git a/citadel/ldap.c b/citadel/ldap.c
index 06f894f7d..9d2801864 100644
--- a/citadel/ldap.c
+++ b/citadel/ldap.c
@@ -1,10 +1,25 @@
 /*
- * 
+ * These functions implement the portions of AUTHMODE_LDAP and AUTHMODE_LDAP_AD which
+ * actually speak to the LDAP server.
+ *
+ * Copyright (c) 2011 by Art Cancro and the citadel.org development team.
+ *
+ * This program is open source software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
-
-int ldap_version = 3;
-
+int ctdl_require_ldap_version = 3;
 
 #include "sysdep.h"
 #include <errno.h>
@@ -39,7 +54,6 @@ int ldap_version = 3;
 #include "citadel.h"
 #include "server.h"
 #include "database.h"
-#include "user_ops.h"
 #include "sysdep_decls.h"
 #include "support.h"
 #include "room_ops.h"
@@ -52,11 +66,11 @@ int ldap_version = 3;
 #include "genstamp.h"
 #include "threads.h"
 #include "citadel_ldap.h"
+#include "ctdl_module.h"
+#include "user_ops.h"
 
 #ifdef HAVE_LDAP
-
-#define LDAP_DEPRECATED 1	/* Needed to suppress misleading warnings */
-
+#define LDAP_DEPRECATED 1 	/* Suppress libldap's warning that we are using deprecated API calls */
 #include <ldap.h>
 
 int CtdlTryUserLDAP(char *username,
@@ -77,48 +91,58 @@ int CtdlTryUserLDAP(char *username,
 
 	ldserver = ldap_init(config.c_ldap_host, config.c_ldap_port);
 	if (ldserver == NULL) {
-		CtdlLogPrintf(CTDL_ALERT, "LDAP: Could not connect to %s:%d : %s\n",
+		syslog(LOG_ALERT, "LDAP: Could not connect to %s:%d : %s\n",
 			config.c_ldap_host, config.c_ldap_port,
-			strerror(errno));
+			strerror(errno)
+		);
 		return(errno);
 	}
 
-	ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+	ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
+	ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
 
 	striplt(config.c_ldap_bind_dn);
 	striplt(config.c_ldap_bind_pw);
+	syslog(LOG_DEBUG, "LDAP bind DN: %s\n", config.c_ldap_bind_dn);
 	i = ldap_simple_bind_s(ldserver,
 		(!IsEmptyStr(config.c_ldap_bind_dn) ? config.c_ldap_bind_dn : NULL),
 		(!IsEmptyStr(config.c_ldap_bind_pw) ? config.c_ldap_bind_pw : NULL)
 	);
 	if (i != LDAP_SUCCESS) {
-		CtdlLogPrintf(CTDL_ALERT, "LDAP: Cannot bind: %s (%d)\n", ldap_err2string(i), i);
+		syslog(LOG_ALERT, "LDAP: Cannot bind: %s (%d)\n", ldap_err2string(i), i);
 		return(i);
 	}
 
 	tv.tv_sec = 10;
 	tv.tv_usec = 0;
 
-	sprintf(searchstring, SEARCH_STRING, username);
+	if (config.c_auth_mode == AUTHMODE_LDAP_AD) {
+		sprintf(searchstring, "(sAMAccountName=%s)", username);
+	}
+	else {
+		sprintf(searchstring, "(&(objectclass=posixAccount)(uid=%s))", username);
+	}
 
-	i = ldap_search_st(ldserver,
-		config.c_ldap_base_dn,
-		LDAP_SCOPE_SUBTREE,
-		searchstring,
-		NULL,	// return all attributes
-		0,	// attributes + values
-		&tv,	// timeout
-		&search_result
+	syslog(LOG_DEBUG, "LDAP search: %s\n", searchstring);
+	(void) ldap_search_ext_s(
+		ldserver,					/* ld				*/
+		config.c_ldap_base_dn,				/* base				*/
+		LDAP_SCOPE_SUBTREE,				/* scope			*/
+		searchstring,					/* filter			*/
+		NULL,						/* attrs (all attributes)	*/
+		0,						/* attrsonly (attrs + values)	*/
+		NULL,						/* serverctrls (none)		*/
+		NULL,						/* clientctrls (none)		*/
+		&tv,						/* timeout			*/
+		1,						/* sizelimit (1 result max)	*/
+		&search_result					/* res				*/
 	);
-	if (i != LDAP_SUCCESS) {
-		CtdlLogPrintf(CTDL_DEBUG,
-			"Couldn't find what I was looking for: %s (%d)\n", ldap_err2string(i), i);
-		ldap_unbind(ldserver);
-		return(i);
-	}
 
+	/* Ignore the return value of ldap_search_ext_s().  Sometimes it returns an error even when
+	 * the search succeeds.  Instead, we check to see whether search_result is still NULL.
+	 */
 	if (search_result == NULL) {
-		CtdlLogPrintf(CTDL_DEBUG, "No results were returned\n");
+		syslog(LOG_DEBUG, "LDAP search: zero results were returned\n");
 		ldap_unbind(ldserver);
 		return(2);
 	}
@@ -131,35 +155,53 @@ int CtdlTryUserLDAP(char *username,
 
 		user_dn = ldap_get_dn(ldserver, entry);
 		if (user_dn) {
-			CtdlLogPrintf(CTDL_DEBUG, "dn = %s\n", user_dn);
+			syslog(LOG_DEBUG, "dn = %s\n", user_dn);
 		}
 
-		values = ldap_get_values(ldserver, search_result, "cn");
-		if (values) {
-			if (values[0]) {
-				if (fullname) safestrncpy(fullname, values[0], fullname_size);
-				CtdlLogPrintf(CTDL_DEBUG, "cn = %s\n", values[0]);
+		if (config.c_auth_mode == AUTHMODE_LDAP_AD) {
+			values = ldap_get_values(ldserver, search_result, "displayName");
+			if (values) {
+				if (values[0]) {
+					if (fullname) safestrncpy(fullname, values[0], fullname_size);
+					syslog(LOG_DEBUG, "displayName = %s\n", values[0]);
+				}
+				ldap_value_free(values);
 			}
-			ldap_value_free(values);
 		}
-
-		values = ldap_get_values(ldserver, search_result, "uidNumber");
-		if (values) {
-			if (values[0]) {
-				CtdlLogPrintf(CTDL_DEBUG, "uidNumber = %s\n", values[0]);
-				if (uid != NULL) {
-					*uid = atoi(values[0]);
+		else {
+			values = ldap_get_values(ldserver, search_result, "cn");
+			if (values) {
+				if (values[0]) {
+					if (fullname) safestrncpy(fullname, values[0], fullname_size);
+					syslog(LOG_DEBUG, "cn = %s\n", values[0]);
 				}
+				ldap_value_free(values);
 			}
-			ldap_value_free(values);
 		}
 
-		values = ldap_get_values(ldserver, search_result, "objectGUID");
-		if (values) {
-			if (values[0]) {
-				CtdlLogPrintf(CTDL_DEBUG, "objectGUID = (%d characers)\n", strlen(values[0]));
+		if (config.c_auth_mode == AUTHMODE_LDAP_AD) {
+			values = ldap_get_values(ldserver, search_result, "objectGUID");
+			if (values) {
+				if (values[0]) {
+					if (uid != NULL) {
+						*uid = abs(HashLittle(values[0], strlen(values[0])));
+						syslog(LOG_DEBUG, "uid hashed from objectGUID = %d\n", *uid);
+					}
+				}
+				ldap_value_free(values);
+			}
+		}
+		else {
+			values = ldap_get_values(ldserver, search_result, "uidNumber");
+			if (values) {
+				if (values[0]) {
+					syslog(LOG_DEBUG, "uidNumber = %s\n", values[0]);
+					if (uid != NULL) {
+						*uid = atoi(values[0]);
+					}
+				}
+				ldap_value_free(values);
 			}
-			ldap_value_free(values);
 		}
 
 	}
@@ -171,7 +213,7 @@ int CtdlTryUserLDAP(char *username,
 	ldap_unbind(ldserver);
 
 	if (!user_dn) {
-		CtdlLogPrintf(CTDL_DEBUG, "No such user was found.\n");
+		syslog(LOG_DEBUG, "No such user was found.\n");
 		return(4);
 	}
 
@@ -181,21 +223,28 @@ int CtdlTryUserLDAP(char *username,
 }
 
 
-int CtdlTryPasswordLDAP(char *user_dn, char *password)
+int CtdlTryPasswordLDAP(char *user_dn, const char *password)
 {
 	LDAP *ldserver = NULL;
 	int i = (-1);
 
+	if (IsEmptyStr(password)) {
+		syslog(LOG_DEBUG, "LDAP: empty passwords are not permitted\n");
+		return(1);
+	}
+
+	syslog(LOG_DEBUG, "LDAP: trying to bind as %s\n", user_dn);
 	ldserver = ldap_init(config.c_ldap_host, config.c_ldap_port);
 	if (ldserver) {
-		ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+		ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
 		i = ldap_simple_bind_s(ldserver, user_dn, password);
 		if (i == LDAP_SUCCESS) {
-			CtdlLogPrintf(CTDL_DEBUG, "LDAP: bind succeeded\n");
+			syslog(LOG_DEBUG, "LDAP: bind succeeded\n");
 		}
 		else {
-			CtdlLogPrintf(CTDL_DEBUG, "LDAP: Cannot bind: %s (%d)\n", ldap_err2string(i), i);
+			syslog(LOG_DEBUG, "LDAP: Cannot bind: %s (%d)\n", ldap_err2string(i), i);
 		}
+		ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
 		ldap_unbind(ldserver);
 	}
 
@@ -207,6 +256,31 @@ int CtdlTryPasswordLDAP(char *user_dn, char *password)
 }
 
 
+/*
+ * Learn LDAP attributes and stuff them into the vCard.
+ * Returns nonzero if we changed anything.
+ */
+int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
+{
+	int changed_something = 0;
+
+	if (!ldap_dn) return(0);
+	if (!v) return(0);
+
+	/*
+	 * FIXME this is a stub function
+	 *
+	 * ldap_dn will contain the DN of the user, and v will contain a pointer to
+	 * the vCard that needs to be (re-)populated.  Put the requisite LDAP code here.
+	 *
+	vcard_set_prop(v, "email;internet", xxx, 0);
+	 *
+	 * return nonzero to tell the caller that we made changes that need to be saved
+	changed_something = 1;
+	 *
+	 */
 
+	return(changed_something);	/* tell the caller whether we made any changes */
+}
 
 #endif /* HAVE_LDAP */