-/* $Cambridge: exim/src/src/lookups/ldap.c,v 1.12 2006/07/17 09:18:09 ph10 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2006 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */
/* Many thanks to Stuart Lynne for contributing the original code for this
-driver. Further contibutions from Michael Haardt, Brian Candler, Barry
+driver. Further contributions from Michael Haardt, Brian Candler, Barry
Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
researching how to handle the different kinds of error. */
#include "../exim.h"
#include "lf_functions.h"
-#include "ldap.h"
-
-
-/* We can't just compile this code and allow the library mechanism to omit the
-functions if they are not wanted, because we need to have the LDAP headers
-available for compiling. Therefore, compile these functions only if LOOKUP_LDAP
-is defined. However, some compilers don't like compiling empty modules, so keep
-them happy with a dummy when skipping the rest. Make it reference itself to
-stop picky compilers complaining that it is unused, and put in a dummy argument
-to stop even pickier compilers complaining about infinite loops. */
-
-#ifndef LOOKUP_LDAP
-static void dummy(int x) { dummy(x-1); }
-#else
/* Include LDAP headers. The code below uses some "old" LDAP interfaces that
uschar *password;
BOOL bound;
int port;
+ BOOL is_start_tls_called;
LDAP *ld;
} LDAP_CONNECTION;
*/
static int
-perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type,
- uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password,
- int sizelimit, int timelimit, int tcplimit, int dereference, void *referrals)
+perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port,
+ int search_type, uschar **res, uschar **errmsg, BOOL *defer_break,
+ uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit,
+ int dereference, void *referrals)
{
LDAPURLDesc *ludp = NULL;
LDAPMessage *result = NULL;
uschar *error2 = NULL; /* error message from the server */
uschar *matched = NULL; /* partially matched DN */
-int attr_count = 0;
+int attrs_requested = 0;
int error_yield = DEFER;
int msgid;
int rc, ldap_rc, ldap_parse_rc;
/* Count the attributes; we need this later to tell us how to format results */
for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
- attr_count++;
+ attrs_requested++;
/* See if we can find a cached connection to this host. The port is not
relevant for ldapi. The host name pointer is set to NULL if no host was given
{
LDAP *ld;
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ int am_server = 0;
+ LDAP *ldsetctx;
+ #else
+ LDAP *ldsetctx = NULL;
+ #endif
+
/* --------------------------- OpenLDAP ------------------------ */
goto RETURN_ERROR;
}
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ ldsetctx = ld;
+ #endif
+
/* Set the TCP connect time limit if available. This is something that is
in Netscape SDK v4.1; I don't know about other libraries. */
if (!ldapi)
{
int tls_option;
+ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ if (eldap_require_cert != NULL)
+ {
+ tls_option = LDAP_OPT_X_TLS_NEVER;
+ if (Ustrcmp(eldap_require_cert, "hard") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_HARD;
+ }
+ else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_DEMAND;
+ }
+ else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_ALLOW;
+ }
+ else if (Ustrcmp(eldap_require_cert, "try") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_TRY;
+ }
+ DEBUG(D_lookup)
+ debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+ tls_option);
+ }
+ else
+ #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
{
tls_option = LDAP_OPT_X_TLS_HARD;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
}
else
{
tls_option = LDAP_OPT_X_TLS_TRY;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
}
ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
}
#endif /* LDAP_OPT_X_TLS */
+ #ifdef LDAP_OPT_X_TLS_CACERTFILE
+ if (eldap_ca_cert_file != NULL)
+ {
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_CACERTDIR
+ if (eldap_ca_cert_dir != NULL)
+ {
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_CERTFILE
+ if (eldap_cert_file != NULL)
+ {
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_KEYFILE
+ if (eldap_cert_key != NULL)
+ {
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+ if (eldap_cipher_suite != NULL)
+ {
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ if (eldap_require_cert != NULL)
+ {
+ int cert_option = LDAP_OPT_X_TLS_NEVER;
+ if (Ustrcmp(eldap_require_cert, "hard") == 0)
+ {
+ cert_option = LDAP_OPT_X_TLS_HARD;
+ }
+ else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+ {
+ cert_option = LDAP_OPT_X_TLS_DEMAND;
+ }
+ else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+ {
+ cert_option = LDAP_OPT_X_TLS_ALLOW;
+ }
+ else if (Ustrcmp(eldap_require_cert, "try") == 0)
+ {
+ cert_option = LDAP_OPT_X_TLS_TRY;
+ }
+ /* This ldap handle is set at compile time based on client libs. Older
+ * versions want it to be global and newer versions can force a reload
+ * of the TLS context (to reload these settings we are changing from the
+ * default that loaded at instantiation). */
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+ cert_option, ldap_err2string(rc));
+ }
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to reload TLS context %d: %s\n",
+ rc, ldap_err2string(rc));
+ }
+ #endif
+
/* Now add this connection to the chain of cached connections */
lcp = store_get(sizeof(LDAP_CONNECTION));
lcp->port = port;
lcp->ld = ld;
lcp->next = ldap_connections;
+ lcp->is_start_tls_called = FALSE;
ldap_connections = lcp;
}
{
DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
(lcp->bound)? "re-" : "", user, password);
+ if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
+ {
+#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
+ /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
+ * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
+ * export an ldap_start_tls_s symbol.
+ */
+ if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
+ {
+ *errmsg = string_sprintf("failed to initiate TLS processing on an "
+ "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+ " %s", host, porttext, rc, ldap_err2string(rc));
+ goto RETURN_ERROR;
+ }
+ lcp->is_start_tls_called = TRUE;
+#else
+ DEBUG(D_lookup)
+ debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
+#endif
+ }
if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
== -1)
{
LDAP_RES_SEARCH_ENTRY)
{
LDAPMessage *e;
+ int valuecount; /* We can see an attr spread across several
+ entries. If B is derived from A and we request
+ A and the directory contains both, A and B,
+ then we get two entries, one for A and one for B.
+ Here we just count the values per entry */
- DEBUG(D_lookup) debug_printf("ldap_result loop\n");
+ DEBUG(D_lookup) debug_printf("LDAP result loop\n");
- for(e = ldap_first_entry(lcp->ld, result);
+ for(e = ldap_first_entry(lcp->ld, result), valuecount = 0;
e != NULL;
e = ldap_next_entry(lcp->ld, e))
{
/* Results for multiple entries values are separated by newlines. */
- if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1);
+ if (data != NULL) data = string_catn(data, &size, &ptr, US"\n", 1);
/* Get the DN from the last result. */
{ /* condition, because of the else */
if (new_dn != NULL) /* below, that's for the first only */
{
- data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn));
+ data = string_cat(data, &size, &ptr, new_dn);
data[ptr] = 0;
attribute_found = TRUE;
}
/* Otherwise, loop through the entry, grabbing attribute values. If there's
only one attribute being retrieved, no attribute name is given, and the
- result is not quoted. Multiple values are separated by (comma, space).
+ result is not quoted. Multiple values are separated by (comma).
If more than one attribute is being retrieved, the data is given as a
- sequence of name=value pairs, with the value always in quotes. If there are
- multiple values, they are given within the quotes, comma separated. */
+ sequence of name=value pairs, separated by (space), with the value always in quotes.
+ If there are multiple values, they are given within the quotes, comma separated. */
else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
attr != NULL;
attr = US ldap_next_attribute(lcp->ld, e, ber))
{
+ DEBUG(D_lookup) debug_printf("LDAP attr loop\n");
+
+ /* In case of attrs_requested == 1 we just count the values, in all other cases
+ (0, >1) we count the values per attribute */
+ if (attrs_requested != 1) valuecount = 0;
+
if (attr[0] != 0)
{
/* Get array of values for this attribute. */
if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
!= NULL)
{
- if (attr_count != 1)
+
+ if (attrs_requested != 1)
{
if (insert_space)
- data = string_cat(data, &size, &ptr, US" ", 1);
+ data = string_catn(data, &size, &ptr, US" ", 1);
else
insert_space = TRUE;
- data = string_cat(data, &size, &ptr, attr, Ustrlen(attr));
- data = string_cat(data, &size, &ptr, US"=\"", 2);
+ data = string_cat(data, &size, &ptr, attr);
+ data = string_catn(data, &size, &ptr, US"=\"", 2);
}
while (*values != NULL)
{
uschar *value = *values;
int len = Ustrlen(value);
+ ++valuecount;
+
+ DEBUG(D_lookup) debug_printf("LDAP value loop %s:%s\n", attr, value);
- DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value);
+ /* In case we requested one attribute only but got several times
+ into that attr loop, we need to append the additional values.
+ (This may happen if you derive attributeTypes B and C from A and
+ then query for A.) In all other cases we detect the different
+ attribute and append only every non first value. */
- if (values != firstval)
- data = string_cat(data, &size, &ptr, US", ", 2);
+ if (data && valuecount > 1)
+ data = string_catn(data, &size, &ptr, US",", 1);
/* For multiple attributes, the data is in quotes. We must escape
- internal quotes, backslashes, newlines. */
+ internal quotes, backslashes, newlines, and must double commas. */
- if (attr_count != 1)
+ if (attrs_requested != 1)
{
int j;
for (j = 0; j < len; j++)
{
if (value[j] == '\n')
- data = string_cat(data, &size, &ptr, US"\\n", 2);
+ data = string_catn(data, &size, &ptr, US"\\n", 2);
+ else if (value[j] == ',')
+ data = string_catn(data, &size, &ptr, US",,", 2);
else
{
if (value[j] == '\"' || value[j] == '\\')
- data = string_cat(data, &size, &ptr, US"\\", 1);
- data = string_cat(data, &size, &ptr, value+j, 1);
+ data = string_catn(data, &size, &ptr, US"\\", 1);
+ data = string_catn(data, &size, &ptr, value+j, 1);
}
}
}
- /* For single attributes, copy the value verbatim */
+ /* For single attributes, just double commas */
+
+ else
+ {
+ int j;
+ for (j = 0; j < len; j++)
+ if (value[j] == ',')
+ data = string_catn(data, &size, &ptr, US",,", 2);
+ else
+ data = string_catn(data, &size, &ptr, value+j, 1);
+ }
- else data = string_cat(data, &size, &ptr, value, len);
/* Move on to the next value */
/* Closing quote at the end of the data for a named attribute. */
- if (attr_count != 1)
- data = string_cat(data, &size, &ptr, US"\"", 1);
+ if (attrs_requested != 1)
+ data = string_catn(data, &size, &ptr, US"\"", 1);
/* Free the values */
(1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
truncated result list.
- (2) The range of errors defined by LDAP_NAME_ERROR generally mean "that
+ (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
+ submitted patch that is reported to "do the right thing" with Solaris
+ LDAP libraries. (The problem it addresses apparently does not occur with
+ Open LDAP.)
+
+ (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
object does not, or cannot, exist in the database". For those cases we
fail the lookup.
- (3) All other non-successes here are treated as some kind of problem with
+ (4) All other non-successes here are treated as some kind of problem with
the lookup, so return DEFER (which is the default in error_yield).
*/
DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
rc, ldap_err2string(rc));
-if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED)
+if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
+ #ifdef LDAP_RES_SEARCH_REFERENCE
+ && rc != LDAP_RES_SEARCH_REFERENCE
+ #endif
+ )
{
*errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
rc,
*/
static int
-control_ldap_search(uschar *ldap_url, int search_type, uschar **res,
+control_ldap_search(const uschar *ldap_url, int search_type, uschar **res,
uschar **errmsg)
{
BOOL defer_break = FALSE;
int sep = 0;
int dereference = LDAP_DEREF_NEVER;
void* referrals = LDAP_OPT_ON;
-uschar *url = ldap_url;
-uschar *p;
+const uschar *url = ldap_url;
+const uschar *p;
uschar *user = NULL;
uschar *password = NULL;
-uschar *server, *list;
+uschar *local_servers = NULL;
+uschar *server;
+const uschar *list;
uschar buffer[512];
while (isspace(*url)) url++;
while (strncmpic(url, US"ldap", 4) != 0)
{
- uschar *name = url;
+ const uschar *name = url;
while (*url != 0 && *url != '=') url++;
if (*url == '=')
{
else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
+ else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;
/* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
/* No default servers, or URL contains a server name: just one attempt */
-if (eldap_default_servers == NULL || p[3] != '/')
+if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/')
{
return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
&defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
referrals);
}
-/* Loop through the default servers until OK or FAIL */
-
-list = eldap_default_servers;
+/* Loop through the default servers until OK or FAIL. Use local_servers list
+ * if defined in the lookup, otherwise use the global default list */
+list = (local_servers == NULL) ? eldap_default_servers : local_servers;
while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
{
int rc;
are handled by a common function, with a flag to differentiate between them.
The handle and filename arguments are not used. */
-int
-eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length,
- uschar **result, uschar **errmsg, BOOL *do_cache)
+static int
+eldap_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+ uschar **result, uschar **errmsg, uint *do_cache)
{
/* Keep picky compilers happy */
do_cache = do_cache;
return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
}
-int
-eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length,
- uschar **result, uschar **errmsg, BOOL *do_cache)
+static int
+eldapm_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+ uschar **result, uschar **errmsg, uint *do_cache)
{
/* Keep picky compilers happy */
do_cache = do_cache;
return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
}
-int
-eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length,
- uschar **result, uschar **errmsg, BOOL *do_cache)
+static int
+eldapdn_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+ uschar **result, uschar **errmsg, uint *do_cache)
{
/* Keep picky compilers happy */
do_cache = do_cache;
}
int
-eldapauth_find(void *handle, uschar *filename, uschar *ldap_url, int length,
- uschar **result, uschar **errmsg, BOOL *do_cache)
+eldapauth_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+ uschar **result, uschar **errmsg, uint *do_cache)
{
/* Keep picky compilers happy */
do_cache = do_cache;
/* See local README for interface description. */
-void *
+static void *
eldap_open(uschar *filename, uschar **errmsg)
{
return (void *)(1); /* Just return something non-null */
/* See local README for interface description.
Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
-void
+static void
eldap_tidy(void)
{
LDAP_CONNECTION *lcp = NULL;
{
DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
lcp->port);
- ldap_unbind(lcp->ld);
+ if(lcp->bound == TRUE)
+ ldap_unbind(lcp->ld);
ldap_connections = lcp->next;
}
}
-uschar *
+static uschar *
eldap_quote(uschar *s, uschar *opt)
{
register int c;
return quoted;
}
-#endif /* LOOKUP_LDAP */
+
+
+/*************************************************
+* Version reporting entry point *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+void
+ldap_version_report(FILE *f)
+{
+#ifdef DYNLOOKUP
+fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+}
+
+
+static lookup_info ldap_lookup_info = {
+ US"ldap", /* lookup name */
+ lookup_querystyle, /* query-style lookup */
+ eldap_open, /* open function */
+ NULL, /* check function */
+ eldap_find, /* find function */
+ NULL, /* no close function */
+ eldap_tidy, /* tidy function */
+ eldap_quote, /* quoting function */
+ ldap_version_report /* version reporting */
+};
+
+static lookup_info ldapdn_lookup_info = {
+ US"ldapdn", /* lookup name */
+ lookup_querystyle, /* query-style lookup */
+ eldap_open, /* sic */ /* open function */
+ NULL, /* check function */
+ eldapdn_find, /* find function */
+ NULL, /* no close function */
+ eldap_tidy, /* sic */ /* tidy function */
+ eldap_quote, /* sic */ /* quoting function */
+ NULL /* no version reporting (redundant) */
+};
+
+static lookup_info ldapm_lookup_info = {
+ US"ldapm", /* lookup name */
+ lookup_querystyle, /* query-style lookup */
+ eldap_open, /* sic */ /* open function */
+ NULL, /* check function */
+ eldapm_find, /* find function */
+ NULL, /* no close function */
+ eldap_tidy, /* sic */ /* tidy function */
+ eldap_quote, /* sic */ /* quoting function */
+ NULL /* no version reporting (redundant) */
+};
+
+#ifdef DYNLOOKUP
+#define ldap_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
+lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
/* End of lookups/ldap.c */