X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/184e88237dea64ce48076cdd0184612d057cbafd..5428a9463ae1080029a84a1b33e4a8a6915c5f28:/src/src/lookups/ldap.c diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 048066e25..a25868f59 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -1,10 +1,8 @@ -/* $Cambridge: exim/src/src/lookups/ldap.c,v 1.14 2007/01/08 10:50:19 ph10 Exp $ */ - /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2007 */ +/* Copyright (c) University of Cambridge 1995 - 2012 */ /* See the file NOTICE for conditions of use and distribution. */ /* Many thanks to Stuart Lynne for contributing the original code for this @@ -15,20 +13,6 @@ researching how to handle the different kinds of error. */ #include "../exim.h" #include "lf_functions.h" -#include "ldap.h" - - -/* We can't just compile this code and allow the library mechanism to omit the -functions if they are not wanted, because we need to have the LDAP headers -available for compiling. Therefore, compile these functions only if LOOKUP_LDAP -is defined. However, some compilers don't like compiling empty modules, so keep -them happy with a dummy when skipping the rest. Make it reference itself to -stop picky compilers complaining that it is unused, and put in a dummy argument -to stop even pickier compilers complaining about infinite loops. */ - -#ifndef LOOKUP_LDAP -static void dummy(int x) { dummy(x-1); } -#else /* Include LDAP headers. The code below uses some "old" LDAP interfaces that @@ -97,6 +81,7 @@ typedef struct ldap_connection { uschar *password; BOOL bound; int port; + BOOL is_start_tls_called; LDAP *ld; } LDAP_CONNECTION; @@ -295,6 +280,13 @@ if (lcp == NULL) { LDAP *ld; + #ifdef LDAP_OPT_X_TLS_NEWCTX + int am_server = 0; + LDAP *ldsetctx; + #else + LDAP *ldsetctx = NULL; + #endif + /* --------------------------- OpenLDAP ------------------------ */ @@ -380,6 +372,10 @@ if (lcp == NULL) goto RETURN_ERROR; } + #ifdef LDAP_OPT_X_TLS_NEWCTX + ldsetctx = ld; + #endif + /* Set the TCP connect time limit if available. This is something that is in Netscape SDK v4.1; I don't know about other libraries. */ @@ -431,20 +427,121 @@ if (lcp == NULL) if (!ldapi) { int tls_option; + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (eldap_require_cert != NULL) + { + tls_option = LDAP_OPT_X_TLS_NEVER; + if (Ustrcmp(eldap_require_cert, "hard") == 0) + { + tls_option = LDAP_OPT_X_TLS_HARD; + } + else if (Ustrcmp(eldap_require_cert, "demand") == 0) + { + tls_option = LDAP_OPT_X_TLS_DEMAND; + } + else if (Ustrcmp(eldap_require_cert, "allow") == 0) + { + tls_option = LDAP_OPT_X_TLS_ALLOW; + } + else if (Ustrcmp(eldap_require_cert, "try") == 0) + { + tls_option = LDAP_OPT_X_TLS_TRY; + } + DEBUG(D_lookup) + debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n", + tls_option); + } + else + #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0) { tls_option = LDAP_OPT_X_TLS_HARD; - DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n"); + DEBUG(D_lookup) + debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n"); } else { tls_option = LDAP_OPT_X_TLS_TRY; - DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n"); + DEBUG(D_lookup) + debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n"); } ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); } #endif /* LDAP_OPT_X_TLS */ + #ifdef LDAP_OPT_X_TLS_CACERTFILE + if (eldap_ca_cert_file != NULL) + { + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_CACERTDIR + if (eldap_ca_cert_dir != NULL) + { + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + } + #endif + #ifdef LDAP_OPT_X_TLS_CERTFILE + if (eldap_cert_file != NULL) + { + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_KEYFILE + if (eldap_cert_key != NULL) + { + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + } + #endif + #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (eldap_cipher_suite != NULL) + { + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + } + #endif + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (eldap_require_cert != NULL) + { + int cert_option = LDAP_OPT_X_TLS_NEVER; + if (Ustrcmp(eldap_require_cert, "hard") == 0) + { + cert_option = LDAP_OPT_X_TLS_HARD; + } + else if (Ustrcmp(eldap_require_cert, "demand") == 0) + { + cert_option = LDAP_OPT_X_TLS_DEMAND; + } + else if (Ustrcmp(eldap_require_cert, "allow") == 0) + { + cert_option = LDAP_OPT_X_TLS_ALLOW; + } + else if (Ustrcmp(eldap_require_cert, "try") == 0) + { + cert_option = LDAP_OPT_X_TLS_TRY; + } + /* This ldap handle is set at compile time based on client libs. Older + * versions want it to be global and newer versions can force a reload + * of the TLS context (to reload these settings we are changing from the + * default that loaded at instantiation). */ + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n", + cert_option, ldap_err2string(rc)); + } + } + #endif + #ifdef LDAP_OPT_X_TLS_NEWCTX + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to reload TLS context %d: %s\n", + rc, ldap_err2string(rc)); + } + #endif + /* Now add this connection to the chain of cached connections */ lcp = store_get(sizeof(LDAP_CONNECTION)); @@ -455,6 +552,7 @@ if (lcp == NULL) lcp->port = port; lcp->ld = ld; lcp->next = ldap_connections; + lcp->is_start_tls_called = FALSE; ldap_connections = lcp; } @@ -481,6 +579,26 @@ if (!lcp->bound || { DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", (lcp->bound)? "re-" : "", user, password); + if (eldap_start_tls && !lcp->is_start_tls_called) + { +#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS) + /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this. + * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not + * export an ldap_start_tls_s symbol. + */ + if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) + { + *errmsg = string_sprintf("failed to initiate TLS processing on an " + "LDAP session to server %s%s - ldap_start_tls_s() returned %d:" + " %s", host, porttext, rc, ldap_err2string(rc)); + goto RETURN_ERROR; + } + lcp->is_start_tls_called = TRUE; +#else + DEBUG(D_lookup) + debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n"); +#endif + } if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE)) == -1) { @@ -680,10 +798,10 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) == DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value); if (values != firstval) - data = string_cat(data, &size, &ptr, US", ", 2); + data = string_cat(data, &size, &ptr, US",", 1); /* For multiple attributes, the data is in quotes. We must escape - internal quotes, backslashes, newlines. */ + internal quotes, backslashes, newlines, and must double commas. */ if (attr_count != 1) { @@ -692,6 +810,8 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) == { if (value[j] == '\n') data = string_cat(data, &size, &ptr, US"\\n", 2); + else if (value[j] == ',') + data = string_cat(data, &size, &ptr, US",,", 2); else { if (value[j] == '\"' || value[j] == '\\') @@ -701,9 +821,20 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) == } } - /* For single attributes, copy the value verbatim */ + /* For single attributes, just double commas */ + + else + { + int j; + for (j = 0; j < len; j++) + { + if (value[j] == ',') + data = string_cat(data, &size, &ptr, US",,", 2); + else + data = string_cat(data, &size, &ptr, value+j, 1); + } + } - else data = string_cat(data, &size, &ptr, value, len); /* Move on to the next value */ @@ -1196,7 +1327,7 @@ return DEFER; are handled by a common function, with a flag to differentiate between them. The handle and filename arguments are not used. */ -int +static int eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length, uschar **result, uschar **errmsg, BOOL *do_cache) { @@ -1205,7 +1336,7 @@ do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg)); } -int +static int eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length, uschar **result, uschar **errmsg, BOOL *do_cache) { @@ -1214,7 +1345,7 @@ do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg)); } -int +static int eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length, uschar **result, uschar **errmsg, BOOL *do_cache) { @@ -1240,7 +1371,7 @@ return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg)); /* See local README for interface description. */ -void * +static void * eldap_open(uschar *filename, uschar **errmsg) { return (void *)(1); /* Just return something non-null */ @@ -1255,7 +1386,7 @@ return (void *)(1); /* Just return something non-null */ /* See local README for interface description. Make sure that eldap_dn does not refer to reclaimed or worse, freed store */ -void +static void eldap_tidy(void) { LDAP_CONNECTION *lcp = NULL; @@ -1265,7 +1396,8 @@ while ((lcp = ldap_connections) != NULL) { DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host, lcp->port); - ldap_unbind(lcp->ld); + if(lcp->bound == TRUE) + ldap_unbind(lcp->ld); ldap_connections = lcp->next; } } @@ -1351,7 +1483,7 @@ quote_ldap_dn, respectively. */ -uschar * +static uschar * eldap_quote(uschar *s, uschar *opt) { register int c; @@ -1470,6 +1602,66 @@ else return quoted; } -#endif /* LOOKUP_LDAP */ + + +/************************************************* +* Version reporting entry point * +*************************************************/ + +/* See local README for interface description. */ + +#include "../version.h" + +void +ldap_version_report(FILE *f) +{ +#ifdef DYNLOOKUP +fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR); +#endif +} + + +static lookup_info ldap_lookup_info = { + US"ldap", /* lookup name */ + lookup_querystyle, /* query-style lookup */ + eldap_open, /* open function */ + NULL, /* check function */ + eldap_find, /* find function */ + NULL, /* no close function */ + eldap_tidy, /* tidy function */ + eldap_quote, /* quoting function */ + ldap_version_report /* version reporting */ +}; + +static lookup_info ldapdn_lookup_info = { + US"ldapdn", /* lookup name */ + lookup_querystyle, /* query-style lookup */ + eldap_open, /* sic */ /* open function */ + NULL, /* check function */ + eldapdn_find, /* find function */ + NULL, /* no close function */ + eldap_tidy, /* sic */ /* tidy function */ + eldap_quote, /* sic */ /* quoting function */ + NULL /* no version reporting (redundant) */ +}; + +static lookup_info ldapm_lookup_info = { + US"ldapm", /* lookup name */ + lookup_querystyle, /* query-style lookup */ + eldap_open, /* sic */ /* open function */ + NULL, /* check function */ + eldapm_find, /* find function */ + NULL, /* no close function */ + eldap_tidy, /* sic */ /* tidy function */ + eldap_quote, /* sic */ /* quoting function */ + NULL /* no version reporting (redundant) */ +}; + +#ifdef DYNLOOKUP +#define ldap_lookup_module_info _lookup_module_info +#endif + +static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info }; +lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 }; /* End of lookups/ldap.c */