请问QQ华夏安卓手游脚本辅助制作辅‏助脚‏本挂‏机在哪儿?了‏解过么?
点击联系发帖人
时间:2018-03-24 07:52
源码开发语言/平台
当前位置:
& 查看源码
rlm_ldap.c
rlm_ldap.c:源码内容
&*&rlm_ldap.c&LDAP&authorization&and&authentication&module.
&*&This&module&is&based&on&LDAP&patch&to&Cistron&radiusd&by&James&Golovich&
&*&&&,&which&in&turn&was&based&mostly&on&a&Mysql+Cistron&patch&
&*&from&&&
&*&17&Jan&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&
&* -&OpenLDAP&SDK&porting,&basic&TLS&support,&LDAP&authorization,
&* &&fault&tolerance&with&multiple&LDAP&server&support&
&*&24&May&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&&
&* -&Converting&to&new&configuration&file&format,&futher&improvements
&* &&in&fault&tolerance,&threaded&operation
&*&12&Dec&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&&
&* -&Added&preliminary&support&for&multiple&instances
&*& -&moved&all&instance&configuration&into&dynamicly&allocated&structure
&* -&Removed&connection&maintenance&thread&and&all&attempts&for&multihreading
&* &&the&module&itself.&OpenLDAP&SDK&is¬&thread&safe&when&used&with&shared
&* &&LDAP&connection.
&* -&Added&configuration&option&for&defining&LDAP&attribute&of&user&object,
&* &&which&controls&remote&access.
&*&16&Feb&2001,&Hannu&Laurila&&hannu.laurila@japo.fi&
&*& -&LDAP&-&RADIUS&attribute&mappings&are&now&read&from&a&file
&*&& -&Support&for&generic&RADIUS&check&and&reply&attribute.
&*&Jun&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix:&check&and&reply&attributes&from&LDAP&_replace_&existing&ones
&* -&Added&&default_profile&&directive,&which&points&to&radiusProfile&
&* &&object,&which&contains&default&values&for&RADIUS&users
&* -&Added&&profile_attribute&&directive,&which&specifies&user&object&
&* &&attribute&pointing&to&radiusProfile&object.
&*&Nov&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Added&support&for&adding&the&user&password&to&the&check.&Based&on
&* &&the&password_header&directive&rlm_ldap&will&strip&the
&* &&password&header&if&needed.&This&will&make&support&for&CHAP&much&easier.
&* -&Added&module&messages&when&we&reject&a&user.
&* -&Added&ldap_groupcmp&to&allow&searching&for&user&group&membership.
&* -&Added&ldap_xlat&to&allow&ldap&urls&in&xlat&strings.&Something&like:
&* &&%{ldap:ldap:///dc=company,dc=com?cn?sub?uid=user}
&*&Nov&2001,&Gordon&Tetlow&&gordont@gnf.org&
&* -&Do&an&xlat&on&the&access_group&attribute.
&*&Dec&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Added&ldap&caching&for&the&default/regular&profiles&and&group&entries.
&* -&Fixed&a&memory&leak&in&ldap_xlat.
&* -&Removed&dict_attrbyname&from&ldap_pairget.&They&are¬&needed.
&* -&Moved&the&radius_xlat's&for&filter&and&basedn&in&ldap_authenticate()&to
&* &&the&right&place.
&* -&Made&the&module&thread&safe.&We&create&a&connection&pool&and&each&thread
&* &&will&call&ldap_get_conn&to&lock&one&of&the&ldap&connections&and&release&with
&* &&a&call&to&ldap_release_conn&when&it&has&finished.
&* -&Request&only&the&user&attributes&that&interest&us&(radius&attributes,regular
&* &&profile,user&password&and&access&attribute).
&*&Mar&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fixed&a&bug&where&the&ldap&server&will&kill&the&idle&connections&from&the&ldap
&* &&connection&pool.&We&now&check&if&ldap_search&returns&LDAP_SERVER_DOWN&and&try&to
&* &&reconnect&if&it&does.&Bug¬ed&by&Dan&Perik&&dan_perik-work@ntm.org.pg&
&*&May&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Instead&of&the&Group&attribute&we&now&have&the&Ldap-Group&attribute,&to&avoid
&* &&collisions&with&other&modules
&* -&If&perform_search&fails&check&the&ld&!=&NULL&before&using&it.&Based&on&a&bug&report
&* &&by&John&&&
&*&Jun&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&the&ability&to&do&a&paircmp&on&the&check&items.&Add&a&compare_check_items&boolean
&* &&configuration&directive&which&defaults&to&no.&If&it&is&set&then&we&will&do&a&compare
&* -&Add&another&configuration&directive.&access_attr_used_for_allow.&If&it&is&set&to&yes
&* &&then&the&access_attr&will&be&used&to&allow&user&access.&If&it&is&set&to&no&then&it&will
&* &&be&used&to&deny&user&access.
&* -&Remember&to&free&inst-&atts&in&ldap_detach()
&* -&Add&a&forgotten&ldap_free_urldesc&in&ldap_xlat()
&* -&Add&a&variable&locked&in&the&LDAP_CONN&structure.&We&use&this&to&avoid&deadlocks.&The&mutex
&* &&we&are&using&is&of&type&fast&and&can&deadlock&if&the&same&thread&tries&to&relock&it.&That
&* &&could&happen&in&case&of&calls&to&xlat.
&* -&When&ldap_search&returns&NO_SUCH_OBJECT&don't&return&fail&but¬found
&*&Jul&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix&the&logic&when&we&get&an&LDAP_SERVER_DOWN&or&we&have&conn-&ld&==&NULL&in&perform_search
&* -&Try&to&minimize&the&penalty&of&having&the&ldap&server&go&down.&The&comments&before
&* &&MAX_FAILED_CONNS_*&definitions&should&explain&things.
&* -&Check&for&a&number&of&error&codes&from&ldap_search&and&log&corresponding&error&messages
&* &&We&should&only&reconnect&when&that&can&help&things.
&* -&In&ldap_groupcmp&instead&of&first&searching&for&the&group&object&and&then&checking&user
&* &&group&membership&combine&them&in&one&ldap&search&operation.&That&should&make&group
&* &&membership&checks&a&lot&faster.
&* -&Remember&to&do&ldap_release_conn&and&ldap_msgfree&when&we&do&paircmp&and&the&result&is&reject
&*&Aug&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&support&for&group&membership&attribute&inside&the&user&entry&in&ldap_groupcmp.&The&attribute
&* &&can&either&contain&the&name&or&the&DN&of&the&group.&Added&the&groupmembership_attribute
&* &&configuration&directive
&* -&Move&the&ldap_{get,release}_conn&in&ldap_groupcmp&so&that&we&hold&a&connection&for&the&minimum&time.
&* -&Now&that&ldap_groupcmp&is&complete&we&really&don't&need&access_group.&Removed&it.
&* -&Remember&to&free&groupmembership_attribute&in&ldap_detach
&* -&Don't&delete&existing&generic&attributes&in&ldap_pairget&when&adding&new&ones.&Since&generic&attributes
&* &&have&operators&we&don't&need&to&try&to&be&cleaver.
&*&Sep&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix&a&crash&in&ldap_pairget&when&the&attribute&value&is&larger&than&the&buffer&size
&* &&Bug&report&by&Stefan&Radovanovici&&&
&* -&If&we&add&a&check&item&then&use&the&==&operator.&Based&on&an&idea&by&Allister&Maguire&&.nz&
&* -&Only&add&a&failure&message&for&bind&as&user&failed&in&ldap_authenticate&if&the&result&of&ldap_connect&was
&* &&RLM_MODULE_REJECT
&* -&Make&tls_mode&a&configurable&option.&Patch&from&John&&&
&* -&Allow&multiple®ular&profiles&for&an&entry
&*&Oct&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Disable&cache&after&searching&for&the&default&profile
&* -&Use&the&MAX_FAILED_CONNS_*&in&ldap_authenticate()&when&calling&ldap_connect()
&*&Nov&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Set&LDAP&version&to&V3&before&binding.&Now&freeradius&should&work&with&openldap21
&*&Dec&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Set&default&values&for&the&server&and&basedn¶meters
&*&Feb&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&support&for&ldap_initialize.&That&way&we&can&specify&the&server&as&an&ldap&url.
&* &&Based&on&ideas&from&Derrik&Pates&&&
&*&Mar&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&*& -&Add&an&ldap_escape_func.&Escape&the&*&character&from&the&filter&so&that&we&can&avoid
&*& &&the&trivial&DoS&of&username=*
&*& -&Remove&the&caching&code.&It&does¬&exist&in&openldap21.
&* &&Based&on&a&report&from&Mike&Denka&&&
&*&May&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Don't&do&a&double&free&on&the&attribute&maps.&Bug¬ed&by&Derrik&Pates&&&
&* -&Apply&a&patch&from&Alexander&M.&Pravking&&fduch@antar.bryansk.ru&&to&do&an&xlat&on&the
&* &&retrieved&attributes.
static&const&char&rcsid[]&=&&$Id:&rlm_ldap.c,v&1.108&&19:07:08&aland&Exp&$&;
#include&&autoconf.h&
#include &sys/types.h&
#include &sys/socket.h&
#include &sys/time.h&
#include &netinet/in.h&
#include &stdio.h&
#include &stdlib.h&
#include &netdb.h&
#include &pwd.h&
#include &time.h&
#include &ctype.h&
#include &string.h&
#include &lber.h&
#include&&&&&&&&&ldap.h&
#include &errno.h&
#include &unistd.h&
#include &pthread.h&
#include&&&&&&&&&libradius.h&
#include &radiusd.h&
#include &conffile.h&
#include &modules.h&
#include &rad_assert.h&
#define&MAX_FILTER_STR_LEN 1024
#define&TIMELIMIT&5
&*&These&are&used&in&case&ldap_search&returns&LDAP_SERVER_DOWN
&*&In&that&case&we&do&conn-&failed_conns++&and&then&check&it:
&*&If&conn-&failed_conns&&=&MAX_FAILED_CONNS_START&then&we&try
&*&to&reconnect
&*&conn-&failed_conns&is&also&checked&on&entrance&in&perform_search:
&*&If&conn-&failed_conns&&&MAX_FAILED_CONNS_START&then&we&don't
&*&try&to&do&anything&and&we&just&do&conn-&failed_conns++&and
&*&return&RLM_MODULE_FAIL
&*&if&conn-&failed_conns&&=&MAX_FAILED_CONNS_END&then&we&give&it
&*&another&chance&and&we&set&it&to&MAX_FAILED_CONNS_RESTART&and
&*&try&to&reconnect.
&*&We&are&assuming&that&the&majority&of&the&LDAP_SERVER_DOWN&cases
&*&will&either&be&an&ldap&connection&timeout&or&a&temporary&ldap
&*&server&problem.
&*&As&a&result&we&make&a&few&attempts&to&reconnect&hoping&that&the&problem
&*&will&soon&go&away.&If&it&does¬&go&away&then&we&just&return
&*&RLM_MODULE_FAIL&on&entrance&in&perform_search&until&conn-&failed_conns
&*&gets&to&MAX_FAILED_CONNS_END.&After&that&we&give&it&one&more&chance&by
&*&going&back&to&MAX_FAILED_CONNS_RESTART
#define&MAX_FAILED_CONNS_END
#define&MAX_FAILED_CONNS_RESTART 4
#define&MAX_FAILED_CONNS_START
/*&linked&list&of&mappings&between&RADIUS&attributes&and&LDAP&attributes&*/
struct&TLDAP_RADIUS&{
char*&&&&&&&&&&&&&&&&&
char*&&&&&&&&&&&&&&&&&radius_
struct&TLDAP_RADIUS*&&
typedef&struct&TLDAP_RADIUS&TLDAP_RADIUS;
typedef&struct&ldap_conn&{
pthread_mutex_t
}&LDAP_CONN;
typedef&struct&{
char&&&&&&&&&&&*
int&&&&&&&&&&&&&
int&&&&&&&&&&&&&
struct&timeval&&net_
struct&timeval&&
int&&&&&&&&&&&&&
int&&&&&&&&&&&&&tls_
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*default_
char&&&&&&&&&&&*profile_
char&&&&&&&&&&&*access_
char&&&&&&&&&&&*passwd_
char&&&&&&&&&&&*passwd_
char&&&&&&&&&&&*dictionary_
char &&&&&&&*groupname_
char &&&&&&&*groupmemb_
char&&&&&&&&&&&*groupmemb_
TLDAP_RADIUS&&&*check_item_
TLDAP_RADIUS&&&*reply_item_
LDAP_CONN *
int&&&&&&&&&&&&&ldap_&/*&Debug&flag&for&LDAP&SDK&*/
*xlat_&/*&name&used&to&xlat&*/
}&&&&&&&&&&&&&&&ldap_
static&CONF_PARSER&module_config[]&=&{
{&server&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,server),&NULL,&&localhost&},
{&port&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,port),&NULL,&&389&},
/*&wait&forever&on&network&activity&*/
{&net_timeout&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,net_timeout.tv_sec),&NULL,&&10&},
/*&wait&forever&for&search&results&*/
{&timeout&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,timeout.tv_sec),&NULL,&&20&},
/*&allow&server&unlimited&time&for&search&(server-side&limit)&*/
{&timelimit&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,timelimit),&NULL,&&20&},
{&identity&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,login),&NULL,&&&},
{&start_tls&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,start_tls),&NULL,&&no&},
{&password&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,password),&NULL,&&&},
{&basedn&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,basedn),&NULL,&&o=notexist&},
{&filter&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,filter),&NULL,&&(uid=%u)&},
{&default_profile&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,default_profile),&NULL,&NULL},
{&profile_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,profile_attr),&NULL,&NULL},
{&password_header&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,passwd_hdr),&NULL,&NULL},
{&password_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,passwd_attr),&NULL,&NULL},
/*&LDAP&attribute&name&that&controls&remote&access&*/
{&access_attr&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,access_attr),&NULL,&NULL},
/*&file&with&mapping&between&LDAP&and&RADIUS&attributes&*/
{&groupname_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupname_attr),&NULL,&&cn&},
{&groupmembership_filter&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupmemb_filt),&NULL,&&(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))&},
{&groupmembership_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupmemb_attr),&NULL,&NULL},
{&dictionary_mapping&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,dictionary_mapping),&NULL,&&${confdir}/ldap.attrmap&},
{&ldap_debug&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,ldap_debug),&NULL,&&0x0000&},
{&ldap_connections_number&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,num_conns),&NULL,&&5&},
{&compare_check_items&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,do_comp),&NULL,&&no&},
{&access_attr_used_for_allow&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,default_allow),&NULL,&&yes&},
{NULL,&-1,&0,&NULL,&NULL}
#define&ld_valid&&&&&&&&&&&&&&&&ld_options.ldo_valid
#define&LDAP_VALID_SESSION&&&&&&0x2
#define&LDAP_VALID(ld)&&(&(ld)-&ld_valid&==&LDAP_VALID_SESSION&)
#ifdef&FIELDCPY
static&void&&&&&fieldcpy(char&*,&char&**);
static&VALUE_PAIR&*ldap_pairget(LDAP&*,&LDAPMessage&*,&TLDAP_RADIUS&*,VALUE_PAIR&**,char);
static&int&ldap_groupcmp(void&*,&REQUEST&*,&VALUE_PAIR&*,&VALUE_PAIR&*,&VALUE_PAIR&*,&VALUE_PAIR&**);
static&int&ldap_xlat(void&*,REQUEST&*,&char&*,&char&*,int,&RADIUS_ESCAPE_STRING);
static&LDAP&&&&*ldap_connect(void&*instance,&const&char&*,&const&char&*,&int,&int&*);
static&int&&&&&read_mappings(ldap_instance*&inst);
static&inline&int&ldap_get_conn(LDAP_CONN&*conns,LDAP_CONN&**ret,void&*instance)
ldap_instance&*inst&=&
register&int&i&=&0;
for(;i&inst-&num_i++){
if&(conns[i].locked&==&0&&&&pthread_mutex_trylock(&(conns[i].mutex))&==&0){
*ret&=&&conns[i];
conns[i].locked&=&1;
DEBUG(&ldap_get_conn:&Got&Id:&%d&,i);
return&-1;
static&inline&void&ldap_release_conn(int&i,&LDAP_CONN&*conns)
DEBUG(&ldap_release_conn:&Release&Id:&%d&,i);
conns[i].locked&=&0;
pthread_mutex_unlock(&(conns[i].mutex));
/*************************************************************************
&* Function:&rlm_ldap_instantiate
&* Purpose:&Uses§ion&of&radiusd&config&file&passed&as¶meter
&to&create&an&instance&of&the&module.
&*************************************************************************/
static&int&
ldap_instantiate(CONF_SECTION&*&conf,&void&**instance)
ldap_instance&&*
int&i&=&0;
int&atts_num&=&0;
int&reply_map_num&=&0;
int&check_map_num&=&0;
int&att_map[3]&=&{0,0,0};
TLDAP_RADIUS&*
char&*xlat_
inst&=&rad_malloc(sizeof&*inst);
if&(!inst)&{
return&-1;
memset(inst,&0,&sizeof(*inst));
if&(cf_section_parse(conf,&inst,&module_config)&&&0)&{
free(inst);
return&-1;
if&(inst-&server&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&missing&'server'&directive.&);
free(inst);
return&-1;
inst-&is_url&=&0;
#ifdef&HAVE_LDAP_INITIALIZE
if&(ldap_is_ldap_url(inst-&server)){
inst-&is_url&=&1;
inst-&port&=&0;
inst-&timeout.tv_usec&=&0;
inst-&net_timeout.tv_usec&=&0;
/*&workaround&for&servers&which&support&LDAPS&but¬&START&TLS&*/
if(inst-&port&==&LDAPS_PORT)
inst-&tls_mode&=&LDAP_OPT_X_TLS_HARD;
inst-&tls_mode&=&0;
inst-&reply_item_map&=&NULL;
inst-&check_item_map&=&NULL;
inst-&conns&=&NULL;
inst-&failed_conns&=&0;
paircompare_register(PW_LDAP_GROUP,&PW_USER_NAME,&ldap_groupcmp,&inst);
DEBUG(&conns:&%p&,inst-&conns);
xlat_name&=&cf_section_name2(conf);
if&(xlat_name&==&NULL)&{
xlat_name&=&cf_section_name1(conf);
rad_assert(xlat_name&!=&NULL);&/*&or&all&hell&breaks&loose&*/
inst-&xlat_name&=&strdup(xlat_name);
xlat_register(xlat_name,ldap_xlat,inst);
if&(inst-&num_conns&&=&0){
radlog(L_ERR,&&rlm_ldap:&Invalid&ldap&connections&number&passed.&);
free(inst);
return&-1;
inst-&conns&=&(LDAP_CONN&*)malloc(sizeof(LDAP_CONN)*inst-&num_conns);
if&(inst-&conns&==&NULL){
radlog(L_ERR,&&rlm_ldap:&Could¬&allocate&memory.&Aborting.&);
free(inst);
return&-1;
for(;i&inst-&num_i++){
inst-&conns[i].bound&=&0;
inst-&conns[i].locked&=&0;
inst-&conns[i].failed_conns&=&0;
inst-&conns[i].ld&=&NULL;
pthread_mutex_init(&inst-&conns[i].mutex,&NULL);
if&(read_mappings(inst)&!=&0)&{
radlog(L_ERR,&&rlm_ldap:&Reading&dictionary&mappings&from&file&%s&failed&,
&&&&&&&inst-&dictionary_mapping);
radlog(L_ERR,&&rlm_ldap:&Proceeding&with&no&mappings&);
pair&=&inst-&check_item_
while(pair&!=&NULL){
atts_num++;
pair&=&pair-&
check_map_num&=&(atts_num&-&1);
pair&=&inst-&reply_item_
while(pair&!=&NULL){
atts_num++;
pair&=&pair-&
reply_map_num&=&(atts_num&-&1);
if&(inst-&profile_attr)
atts_num++;
if&(inst-&passwd_attr)
atts_num++;
if&(inst-&access_attr)
atts_num++;
inst-&atts&=&(char&**)malloc(sizeof(char&*)*(atts_num&+&1));
if&(inst-&atts&==&NULL){
radlog(L_ERR,&&rlm_ldap:&Could¬&allocate&memory.&Aborting.&);
free(inst);
return&-1;
pair&=&inst-&check_item_
for(i=0;i&atts_i++){
if&(i&&=&check_map_num&){
inst-&atts[i]&=&pair-&
if&(i&==&check_map_num)
pair&=&inst-&reply_item_
pair&=&pair-&
else&if&(i&&=&reply_map_num){
inst-&atts[i]&=&pair-&
pair&=&pair-&
if&(inst-&profile_attr&&&&!att_map[0]){
inst-&atts[i]&=&inst-&profile_
att_map[0]&=&1;
else&if&(inst-&passwd_attr&&&&!att_map[1]){
inst-&atts[i]&=&inst-&passwd_
att_map[1]&=&1;
else&if&(inst-&access_attr&&&&!att_map[2]){
inst-&atts[i]&=&inst-&access_
att_map[2]&=&1;
inst-&atts[atts_num]&=&NULL;
DEBUG(&conns:&%p&,inst-&conns);
*instance&=&
&*&read_mappings(...)&reads&a&ldap&-&radius&mappings&file&to&inst-&reply_item_map&and&inst-&check_item_map
#define&MAX_LINE_LEN&160
#define&GENERIC_ATTRIBUTE_ID&&$GENERIC$&
static&int
read_mappings(ldap_instance*&inst)
/*&all&buffers&are&of&MAX_LINE_LEN&so&we&can&use&sscanf&without&being&afraid&of&buffer&overflows&*/
char&buf[MAX_LINE_LEN],&itemType[MAX_LINE_LEN],&radiusAttribute[MAX_LINE_LEN],&ldapAttribute[MAX_LINE_LEN];
/*&open&the&mappings&file&for&reading&*/
filename&=&inst-&dictionary_
DEBUG(&rlm_ldap:&reading&ldap&-&radius&mappings&from&file&%s&,&filename);
mapfile&=&fopen(filename,&&r&);
if&(mapfile&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&Opening&file&%s&failed&,&filename);
return&-1;&/*&error&*/
/*&read&file&line&by&line.&Note&that&if&line&length&exceed&MAX_LINE_LEN,&line&numbers&will&be&mixed&up&*/
linenumber&=&0;
while&(fgets(buf,&sizeof&buf,&mapfile)!=NULL)&{
int&token_
TLDAP_RADIUS*&
linenumber++;
/*&strip&comments&*/
ptr&=&strchr(buf,&'#');
if&(ptr)&*ptr&=&0;
/*&empty&line&*/
if&(buf[0]&==&0)&
/*&extract&tokens&from&the&string&*/
token_count&=&sscanf(buf,&&%s&%s&%s&,&itemType,&radiusAttribute,&ldapAttribute);
if&(token_count&&=&0)&/*&no&tokens&*/
if&(token_count&!=&3)&{
radlog(L_ERR,&&rlm_ldap:&Skipping&%s&line&%i:&%s&,&filename,&linenumber,&buf);
radlog(L_ERR,&&rlm_ldap:&Expected&3&tokens&&
&&&&&&&&(Item&type,&RADIUS&Attribute&and&LDAP&Attribute)&but&found&only&%i&,&token_count);
/*&create&new&TLDAP_RADIUS&list&node&*/
pair&=&rad_malloc(sizeof(TLDAP_RADIUS));
pair-&attr&=&strdup(ldapAttribute);
pair-&radius_attr&=&strdup(radiusAttribute);
if&(&(pair-&attr&==&NULL)&||&(pair-&radius_attr&==&NULL)&)&{
radlog(L_ERR,&&rlm_ldap:&Out&of&memory&);
if&(pair-&attr)&free(pair-&attr);
if&(pair-&radius_attr)&free(pair-&radius_attr);
free(pair);
fclose(mapfile);
return&-1;
/*&push&node&to&correct&list&*/
if&(strcasecmp(itemType,&&checkItem&)&==&0)&{
pair-&next&=&inst-&check_item_
inst-&check_item_map&=&
}&else&if&(strcasecmp(itemType,&&replyItem&)&==&0)&{
pair-&next&=&inst-&reply_item_
inst-&reply_item_map&=&
radlog(L_ERR,&&rlm_ldap:&file&%s:&skipping&line&%i:&unknown&itemType&%s&,&
&&&&&&&filename,&linenumber,&itemType);
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
DEBUG(&rlm_ldap:&LDAP&%s&mapped&to&RADIUS&%s&,
&&&&&&pair-&attr,&pair-&radius_attr);
fclose(mapfile);
return&0;&/*&success&*/
static&int&
perform_search(void&*instance,&LDAP_CONN&*conn,&char&*search_basedn,&int&scope,&char&*filter,&
char&**attrs,&LDAPMessage&**&result)
int&&&&&&&&&&&&&res&=&RLM_MODULE_OK;
ldap_errno&=&0;
ldap_instance&&*inst&=&
search_retry&=&0;
*result&=&NULL;
if&(!conn){
radlog(L_ERR,&&rlm_ldap:&NULL&connection&handle&passed&);
return&RLM_MODULE_FAIL;
if&(conn-&failed_conns&&&MAX_FAILED_CONNS_START){
conn-&failed_conns++;
if&(conn-&failed_conns&&=&MAX_FAILED_CONNS_END){
conn-&failed_conns&=&MAX_FAILED_CONNS_RESTART;
conn-&bound&=&0;
if&(!conn-&bound&||&conn-&ld&==&NULL)&{
DEBUG2(&rlm_ldap:&attempting&LDAP&reconnection&);
if&(conn-&ld){
DEBUG2(&rlm_ldap:&closing&existing&LDAP&connection&);
ldap_unbind_s(conn-&ld);
if&((conn-&ld&=&ldap_connect(instance,&inst-&login,&inst-&password,&0,&&res))&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&(re)connection&attempt&failed&);
if&(search_retry&==&0)
conn-&failed_conns++;
return&(RLM_MODULE_FAIL);
conn-&bound&=&1;
conn-&failed_conns&=&0;
DEBUG2(&rlm_ldap:&performing&search&in&%s,&with&filter&%s&,&search_basedn&?&search_basedn&:&&(null)&&,&filter);
switch&(ldap_search_st(conn-&ld,&search_basedn,&scope,&filter,&attrs,&0,&&(inst-&timeout),&result))&{
case&LDAP_SUCCESS:
case&LDAP_NO_SUCH_OBJECT:
case&LDAP_SERVER_DOWN:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&LDAP&connection&lost.&);
conn-&failed_conns++;
if&(search_retry&==&0){
if&(conn-&failed_conns&&=&MAX_FAILED_CONNS_START){
radlog(L_INFO,&&rlm_ldap:&Attempting&reconnect&);
search_retry&=&1;
conn-&bound&=&0;
ldap_msgfree(*result);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_INSUFFICIENT_ACCESS:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&Insufficient&access.&Check&the&identity&and&password&configuration&directives.&);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_TIMEOUT:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&Timed&out&while&waiting&for&server&to&respond.&Please&increase&the&timeout.&);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_TIMELIMIT_EXCEEDED:
case&LDAP_BUSY:
case&LDAP_UNAVAILABLE:
/*&We&don't&need&to&reconnect&in&these&cases&so&we&don't&set&conn-&bound&*/
ldap_get_option(conn-&ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&%s&,&ldap_err2string(ldap_errno));
ldap_msgfree(*result);
return&(RLM_MODULE_FAIL);
ldap_get_option(conn-&ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&%s&,&ldap_err2string(ldap_errno));
conn-&bound&=&0;
ldap_msgfree(*result);
return&(RLM_MODULE_FAIL);
if&((ldap_count_entries(conn-&ld,&*result))&!=&1)&{
DEBUG(&rlm_ldap:&object¬&found&or&got&ambiguous&search&result&);
res&=&RLM_MODULE_NOTFOUND;
ldap_msgfree(*result);
&* Translate&the&LDAP&queries.
static&int&ldap_escape_func(char&*out,&int&outlen,&const&char&*in)
int&len&=&0;
while&(in[0])&{
&*&&Only&one&byte&left.
if&(outlen&&=&1)&{
if&(strchr(&*&,&*in))&{
&* Else&it's&a&nice&character.
*out&=&'�';
&*&ldap_groupcmp().&Implement&the&Ldap-Group&==&&group&&filter
static&int&ldap_groupcmp(void&*instance,&REQUEST&*req,&VALUE_PAIR&*request,&VALUE_PAIR&*check,
&&&&&&&&&&&&&&&&VALUE_PAIR&*check_pairs,&VALUE_PAIR&**reply_pairs)
&&&&&&&&char&&&&&&&&&&&&filter[MAX_FILTER_STR_LEN];
&&&&&&&&char&&&&&&&&&&&&gr_filter[MAX_FILTER_STR_LEN];
&&&&&&&&int&&&&&&&&&&&&&
&&&&&&&&LDAPMessage&&&&&*result&=&NULL;
&&&&&&&&LDAPMessage&&&&&*msg&=&NULL;
&&&&&&&&char&&&&&&&&&&&&basedn[MAX_FILTER_STR_LEN];
*attrs[]&=&{&dn&,NULL};
&&&&&&&&ldap_instance&&&*inst&=&
*group_attrs[]&=&{inst-&groupmemb_attr,NULL};
LDAP_CONN *
conn_id&=&-1;
VALUE_PAIR *vp_user_
VALUE_PAIR&&&&&&**request_
request_pairs&=&&req-&packet-&
DEBUG(&rlm_ldap:&Entering&ldap_groupcmp()&);
if&(check-&strvalue&==&NULL&||&check-&length&==&0){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&Illegal&group&name&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&if&(req&==&NULL){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&NULL&request&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,&req,&NULL))&{
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&basedn.&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&while((vp_user_dn&=&pairfind(*request_pairs,&PW_LDAP_USERDN))&==&NULL){
&&&&&&&&&&&&&&&&char&&&&&&&&&&&&*user_dn&=&NULL;
&&&&&&&&&&&&&&&&if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
req,&ldap_escape_func)){
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&filter&);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
&&&&&&&&&&&&&&&&if&((res&=&perform_search(inst,&conn,&basedn,&LDAP_SCOPE_SUBTREE,
filter,&attrs,&&result))&!=&RLM_MODULE_OK){
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&search&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
&&&&&&&&&&&&&&&&if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_first_entry()&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
&&&&&&&&&&&&&&&&if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap:ldap_groupcmp::&ldap_get_dn()&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&/*
&&&&&&&&&&&&&&&&*&Adding&new&attribute&containing&DN&for&LDAP&object&associated&with
&&&&&&&&&&&&&&&&*&given&username
&&&&&&&&&&&&&&&&*/
&&&&&&&&&&&&&&&&pairadd(request_pairs,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
&&&&&&&&&&&&&&&&ldap_memfree(user_dn);
&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&if(!radius_xlat(gr_filter,&sizeof(gr_filter),&inst-&groupmemb_filt,&req,&NULL)){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&filter.&);
&&&&&&&&&&&&&&&&return&1;
if&(strchr((char&*)check-&strvalue,',')&!=&NULL)&{
/*&This&looks&like&a&DN&*/
snprintf(filter,sizeof(filter),&&%s&,gr_filter);
snprintf(basedn,sizeof(basedn),&&%s&,(char&*)check-&strvalue);
snprintf(filter,sizeof(filter),&&(&(%s=%s)%s)&,inst-&groupname_attr,(char&*)check-&strvalue,gr_filter);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
if&((res&=&perform_search(inst,&conn,&basedn,&LDAP_SCOPE_SUBTREE,
filter,&attrs,&&result))&==&RLM_MODULE_OK){
DEBUG(&rlm_ldap::ldap_groupcmp:&User&found&in&group&%s&,
(char&*)check-&strvalue);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&& return&0;
ldap_release_conn(conn_id,inst-&conns);
if&(res&!=&RLM_MODULE_NOTFOUND&)&{
DEBUG(&rlm_ldap::ldap_groupcmp:&Search&returned&error&);
if&(inst-&groupmemb_attr&==&NULL){
/*&search&returned&NOTFOUND&and&searching&for&membership&
&*&using&user&object&attributes&is¬&specified&in&config
DEBUG(&rlm_ldap::ldap_groupcmp:&Group&%s¬&found&or&user&is¬&a&member.&,(char&*)check-&strvalue);
snprintf(filter,sizeof(filter),&&(objectclass=*)&);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&Add&ldap&connections&are&in&use&);
if&((res&=&perform_search(inst,&conn,&vp_user_dn-&strvalue,&LDAP_SCOPE_BASE,
filter,&group_attrs,&result))&!=&RLM_MODULE_OK){
DEBUG(&rlm_ldap::ldap_groupcmp:&Search&returned&error&);
ldap_release_conn(conn_id,&inst-&conns);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_first_entry()&failed&);
ldap_release_conn(conn_id,inst-&conns);
ldap_msgfree(result);
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&groupmemb_attr))&!=&NULL)&{
unsigned&int&i&=&0;
char&found&=&0;
for&(;i&&&ldap_count_values(vals);i++){
if&(strchr(vals[i],',')&!=&NULL){&
/*&This&looks&like&a&DN&*/
LDAPMessage&*gr_result&=&NULL;
snprintf(filter,sizeof(filter),&&(%s=%s)&,
inst-&groupname_attr,
(char&*)check-&strvalue);
if&((res&=&perform_search(inst,&conn,&vals[i],
LDAP_SCOPE_BASE,&filter,
attrs,&&gr_result))&!=&RLM_MODULE_OK){
if&(res&!=&RLM_MODULE_NOTFOUND){
DEBUG(&rlm_ldap::ldap_groupcmp:&
Search&returned&error&);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
ldap_msgfree(gr_result);
found&=&1;
if&(strcmp(vals[i],(char&*)check-&strvalue)&==&0){
found&=&1;
ldap_value_free(vals);
ldap_msgfree(result);
if&(found&==&0){
DEBUG(&rlm_ldap::groupcmp:&Group&%s¬&found&
or&user¬&a&member&,
(char&*)check-&strvalue);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_get_values()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap::ldap_groupcmp:&User&found&in&group&%s&,(char&*)check-&strvalue);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&return&0;
&*&ldap_xlat()
&*&Do&an&xlat&on&an&LDAP&URL
static&int&ldap_xlat(void&*instance,&REQUEST&*request,&char&*fmt,&char&*out,&int&freespace,
RADIUS_ESCAPE_STRING&func)
char&url[MAX_FILTER_STR_LEN];
int&ret&=&0;
ldap_instance&*inst&=&
LDAPURLDesc&*ldap_
LDAPMessage&*result&=&NULL;
LDAPMessage&*msg&=&NULL;
int&conn_id&=&-1;
LDAP_CONN&*
DEBUG(&rlm_ldap:&-&ldap_xlat&);
if&(!radius_xlat(url,&sizeof(url),&fmt,&request,&func))&{
radlog&(L_ERR,&&rlm_ldap:&Unable&to&create&LDAP&URL.n&);
if&(!ldap_is_ldap_url(url)){
radlog&(L_ERR,&&rlm_ldap:&String&passed&does¬&look&like&an&LDAP&URL.n&);
if&(ldap_url_parse(url,&ldap_url)){
radlog&(L_ERR,&&rlm_ldap:&LDAP&URL&parse&failed.n&);
if&(ldap_url-&lud_attrs&==&NULL&||&ldap_url-&lud_attrs[0]&==&NULL&||&
(&ldap_url-&lud_attrs[1]&!=&NULL&||&(&!&strlen(ldap_url-&lud_attrs[0])&||&
!&strcmp(ldap_url-&lud_attrs[0],&*&)&)&)&){
radlog&(L_ERR,&&rlm_ldap:&Invalid&Attribute(s)&request.n&);
ldap_free_urldesc(ldap_url);
if&(ldap_url-&lud_host){
if&(strncmp(inst-&server,ldap_url-&lud_host,strlen(inst-&server))&!=&0&||&
ldap_url-&lud_port&!=&inst-&port){
DEBUG(&rlm_ldap:&Requested&server/port&is¬&known&to&this&module&instance.&);
ldap_free_urldesc(ldap_url);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
ldap_free_urldesc(ldap_url);
if&((res&=&perform_search(inst,&conn,&ldap_url-&lud_dn,&ldap_url-&lud_scope,&ldap_url-&lud_filter,&ldap_url-&lud_attrs,&&result))&!=&RLM_MODULE_OK){
if&(res&==&RLM_MODULE_NOTFOUND){
DEBUG(&rlm_ldap:&Search&returned¬&found&);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&Search&returned&error&);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL){
DEBUG(&rlm_ldap:&ldap_first_entry()&failed&);
ldap_msgfree(result);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
if&((vals&=&ldap_get_values(conn-&ld,&msg,&ldap_url-&lud_attrs[0]))&!=&NULL)&{
ret&=&strlen(vals[0]);
if&(ret&&&freespace){
DEBUG(&rlm_ldap:&Insufficient&string&space&);
ldap_free_urldesc(ldap_url);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&Adding&attribute&%s,&value:&%s&,ldap_url-&lud_attrs[0],vals[0]);
strncpy(out,vals[0],ret);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&-&ldap_xlat&end&);
/******************************************************************************
&*&&&&&&Function:&rlm_ldap_authorize
&*&&&&&&Purpose:&Check&if&user&is&authorized&for&remote&access
&******************************************************************************/
static&int&
ldap_authorize(void&*instance,&REQUEST&*&request)
LDAPMessage *result&=&NULL;
LDAPMessage *msg&=&NULL;
LDAPMessage *def_msg&=&NULL;
LDAPMessage *def_attr_msg&=&NULL;
LDAPMessage *def_result&=&NULL;
LDAPMessage *def_attr_result&=&NULL;
ldap_instance *inst&=&
*user_dn&=&NULL;
filter[MAX_FILTER_STR_LEN];
basedn[MAX_FILTER_STR_LEN];
VALUE_PAIR *check_
VALUE_PAIR *reply_
VALUE_PAIR **check_pairs,&**reply_
VALUE_PAIR&&&&&&*module_fmsg_
VALUE_PAIR *user_
char&&&&&&&&&&&&module_fmsg[MAX_STRING_LEN];
LDAP_CONN *
conn_id&=&-1;
DEBUG(&rlm_ldap:&-&authorize&);
if&(!request-&username){
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Name&&is&required&for&authentication.n&);
return&RLM_MODULE_INVALID;
check_pairs&=&&request-&config_
reply_pairs&=&&request-&reply-&
&*&Check&for&valid&input,&zero&length&names¬&permitted
if&(request-&username-&strvalue&==&0)&{
radlog(L_ERR,&&rlm_ldap:&zero&length&username¬&permittedn&);
return&RLM_MODULE_INVALID;
DEBUG(&rlm_ldap:&performing&user&authorization&for&%s&,
&&&&&&&request-&username-&strvalue);
if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
&request,&ldap_escape_func))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&filter.n&);
return&RLM_MODULE_INVALID;
if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,
&request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&basedn.n&);
return&RLM_MODULE_INVALID;
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
return&RLM_MODULE_FAIL;
if&((res&=&perform_search(instance,&conn,&basedn,&LDAP_SCOPE_SUBTREE,&filter,&inst-&atts,&&result))&!=&RLM_MODULE_OK)&{
DEBUG(&rlm_ldap:&search&failed&);
if&(res&==&RLM_MODULE_NOTFOUND){
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&User¬&found&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_release_conn(conn_id,inst-&conns);
return&(res);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_first_entry()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_get_dn()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
&*&Adding&new&attribute&containing&DN&for&LDAP&object&associated&with
&*&given&username
pairadd(&request-&packet-&vps,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
ldap_memfree(user_dn);
/*&Remote&access&is&controled&by&attribute&of&the&user&object&*/
if&(inst-&access_attr)&{
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&access_attr))&!=&NULL)&{
if&(inst-&default_allow){
DEBUG(&rlm_ldap:&checking&if&remote&access&for&%s&is&allowed&by&%s&,&request-&username-&strvalue,&inst-&access_attr);
if&(!strncmp(vals[0],&&FALSE&,&5))&{
DEBUG(&rlm_ldap:&dialup&access&disabled&);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_value_free(vals);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
ldap_value_free(vals);
DEBUG(&rlm_ldap:&%s&attribute&exists&-&access&denied&by&default&,&inst-&access_attr);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_value_free(vals);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
if&(inst-&default_allow){
DEBUG(&rlm_ldap:&no&%s&attribute&-&access&denied&by&default&,&inst-&access_attr);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
&*&Check&for&the&default&profile&entry.&If&it&exists&then&add&the&
&*&attributes&it&contains&in&the&check&and&reply&pairs
user_profile&=&pairfind(request-&config_items,&PW_USER_PROFILE);
if&(inst-&default_profile&||&user_profile){
char&*profile&=&inst-&default_
strNcpy(filter,&(objectclass=radiusprofile)&,sizeof(filter));
if&(user_profile)
profile&=&user_profile-&
if&(profile&&&&strlen(profile)){
if&((res&=&perform_search(instance,&conn,
profile,&LDAP_SCOPE_BASE,&
filter,&inst-&atts,&&def_result))&==&RLM_MODULE_OK){
if&((def_msg&=&ldap_first_entry(conn-&ld,def_result))){
if&((check_tmp&=&ldap_pairget(conn-&ld,def_msg,inst-&check_item_map,check_pairs,1)))&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
if&((reply_tmp&=&ldap_pairget(conn-&ld,def_msg,inst-&reply_item_map,reply_pairs,0)))&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
ldap_msgfree(def_result);
DEBUG(&rlm_ldap:&default_profile/user-profile&search&failed&);
&*&Check&for&the&profile&attribute.&If&it&exists,&we&assume&that&it&
&*&contains&the&DN&of&an&entry&containg&a&profile&for&the&user.&That
&*&way&we&can&have&different&general&profiles&for&various&user&groups
&*&(students,faculty,staff&etc)
if&(inst-&profile_attr){
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&profile_attr))&!=&NULL)&{
unsigned&int&i=0;
strNcpy(filter,&(objectclass=radiusprofile)&,sizeof(filter));
while(vals[i]&!=&NULL&&&&strlen(vals[i])){
if&((res&=&perform_search(instance,&conn,
vals[i],&LDAP_SCOPE_BASE,&
filter,&inst-&atts,&&def_attr_result))&==&RLM_MODULE_OK){
if&((def_attr_msg&=&ldap_first_entry(conn-&ld,def_attr_result))){
if&((check_tmp&=&ldap_pairget(conn-&ld,def_attr_msg,inst-&check_item_map,check_pairs,1)))&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
if&((reply_tmp&=&ldap_pairget(conn-&ld,def_attr_msg,inst-&reply_item_map,reply_pairs,0)))&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
ldap_msgfree(def_attr_result);
DEBUG(&rlm_ldap:&profile_attribute&search&failed&);
ldap_value_free(vals);
if&(inst-&passwd_attr&&&&strlen(inst-&passwd_attr)){
VALUE_PAIR&*passwd_
if&((passwd_item&=&pairfind(request-&config_items,&PW_PASSWORD))&==&NULL){
char&**passwd_
char&*passwd_val&=&NULL;
int&passwd_
if&((passwd_vals&=&ldap_get_values(conn-&ld,msg,inst-&passwd_attr))&!=&NULL){
unsigned&int&i=0;
while(passwd_vals[i]&!=&NULL){
if&(strlen(passwd_vals[i])){
passwd_val&=&passwd_vals[i];
if&(inst-&passwd_hdr&&&&strlen(inst-&passwd_hdr)){
passwd_val&=&strstr(passwd_val,inst-&passwd_hdr);
if&(passwd_val&!=&NULL)
passwd_val&+=&strlen(inst-&passwd_hdr);
DEBUG(&rlm_ldap:&Password&header¬&found&in&password&%s&for&user&%s&,&passwd_vals[0],request-&username-&strvalue);
if&(passwd_val){
if&((passwd_item&=&paircreate(PW_PASSWORD,PW_TYPE_STRING))&==&NULL){
radlog(L_ERR|L_CONS,&&no&memory&);
ldap_value_free(passwd_vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
passwd_len&=&strlen(passwd_val);
strncpy(passwd_item-&strvalue,passwd_val,MAX_STRING_LEN&-&1);
passwd_item-&length&=&(passwd_len&&&(MAX_STRING_LEN&-&1))&?&(MAX_STRING_LEN&-&1)&:&passwd_
pairadd(&request-&config_items,passwd_item);
DEBUG(&rlm_ldap:&Added&password&%s&in&check&items&,passwd_item-&strvalue);
ldap_value_free(passwd_vals);
DEBUG(&rlm_ldap:&looking&for&check&items&in&directory...&);
if&((check_tmp&=&ldap_pairget(conn-&ld,&msg,&inst-&check_item_map,check_pairs,1))&!=&NULL)&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
DEBUG(&rlm_ldap:&looking&for&reply&items&in&directory...&);
if&((reply_tmp&=&ldap_pairget(conn-&ld,&msg,&inst-&reply_item_map,reply_pairs,0))&!=&NULL)&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
&&&&&&&if&(inst-&do_comp&&&&paircmp(request,request-&packet-&vps,*check_pairs,reply_pairs)&!=&0){
DEBUG(&rlm_ldap:&Pairs&do¬&match.&Rejecting&user.&);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Pairs&do¬&match&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_REJECT;
& &*&Module&should&default&to&LDAP&authentication&if&no&Auth-Type
&*&specified
if&(pairfind(*check_pairs,&PW_AUTHTYPE)&==&NULL)
pairadd(check_pairs,&pairmake(&Auth-Type&,&&LDAP&,&T_OP_EQ));
DEBUG(&rlm_ldap:&user&%s&authorized&to&use&remote&access&,
&&&&&&request-&username-&strvalue);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_OK;
/*****************************************************************************
&* Function:&rlm_ldap_authenticate
&* Purpose:&Check&the&user's&password&against&ldap&database
&*****************************************************************************/
static&int&
ldap_authenticate(void&*instance,&REQUEST&*&request)
LDAP&&&&&&&&&&&*ld_
LDAPMessage&&&&*result,&*
ldap_instance&&*inst&=&
char&&&&&&&&&&&*user_dn,&*attrs[]&=&{&uid&,&NULL};
filter[MAX_FILTER_STR_LEN];
basedn[MAX_FILTER_STR_LEN];
int&&&&&&&&&&&&&
VALUE_PAIR&&&&&*vp_user_
VALUE_PAIR&&&&&&*module_fmsg_
char&&&&&&&&&&&&module_fmsg[MAX_STRING_LEN];
LDAP_CONN *
conn_id&=&-1;
DEBUG(&rlm_ldap:&-&authenticate&);
&*&Ensure&that&we're&being&passed&a&plain-text&password,&and¬
&*&anything&else.
if&(!request-&username)&{
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Name&&is&required&for&authentication.n&);
return&RLM_MODULE_INVALID;
if&(!request-&password){
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Password&&is&required&for&authentication.&);
return&RLM_MODULE_INVALID;
if(request-&password-&attribute&!=&PW_PASSWORD)&{
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Password&&is&required&for&authentication.&Cannot&use&&%s&.&,&request-&password-&name);
return&RLM_MODULE_INVALID;
if&(request-&password-&length&==&0)&{
radlog(L_ERR,&&rlm_ldap:&empty&password&supplied&);
return&RLM_MODULE_INVALID;
&*&Check&that&we&don't&have&any&failed&connections.&If&we&do&there's&no&real&need
&*&of&runing.&Also&give&it&another&chance&if&we&have&a&lot&of&failed&connections.
if&(inst-&failed_conns&&&MAX_FAILED_CONNS_END)
inst-&failed_conns&=&0;
if&(inst-&failed_conns&&&MAX_FAILED_CONNS_START){
inst-&failed_conns++;
return&RLM_MODULE_FAIL;
DEBUG(&rlm_ldap:&login&attempt&by&&%s&&with&password&&%s&&,&
&&&&&&&request-&username-&strvalue,&request-&password-&strvalue);
while((vp_user_dn&=&pairfind(request-&packet-&vps,&PW_LDAP_USERDN))&==&NULL)&{
if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&filter.n&);&
return&RLM_MODULE_INVALID;
if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,
request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&basedn.n&);
return&RLM_MODULE_INVALID;
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
return&RLM_MODULE_FAIL;
if&((res&=&perform_search(instance,&conn,&basedn,&LDAP_SCOPE_SUBTREE,&filter,&attrs,&&result))&!=&RLM_MODULE_OK)&{
if&(res&==&RLM_MODULE_NOTFOUND){
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&User¬&found&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_release_conn(conn_id,inst-&conns);
return&(res);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_get_dn()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
ldap_release_conn(conn_id,inst-&conns);
pairadd(&request-&packet-&vps,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
ldap_memfree(user_dn);
ldap_msgfree(result);
user_dn&=&vp_user_dn-&
DEBUG(&rlm_ldap:&user&DN:&%s&,&user_dn);
ld_user&=&ldap_connect(instance,&user_dn,&request-&password-&strvalue,
&&&&&&&1,&&res);
if&(ld_user&==&NULL){
if&(res&==&RLM_MODULE_REJECT){
inst-&failed_conns&=&0;
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Bind&as&user&failed&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
if&(res&==&RLM_MODULE_FAIL){
DEBUG(&rlm_ldap:&ldap_connect()&failed&);
inst-&failed_conns++;
return&(res);
DEBUG(&rlm_ldap:&user&%s&authenticated&succesfully&,
&&&&&&request-&username-&strvalue);
ldap_unbind_s(ld_user);
inst-&failed_conns&=&0;
return&RLM_MODULE_OK;
static&LDAP&&&&*
ldap_connect(void&*instance,&const&char&*dn,&const&char&*password,&int&auth,&int&*result)
ldap_instance&&*inst&=&
LDAP&&&&&&&&&&&*ld&=&NULL;
int&&&&&&&&&&&&&msgid,&rc,&ldap_
ldap_errno&=&0;
LDAPMessage&&&&*
if&(inst-&is_url){
#ifdef&HAVE_LDAP_INITIALIZE
DEBUG(&rlm_ldap:&(re)connect&to&%s,&authentication&%d&,&inst-&server,&auth);
if&(ldap_initialize(&ld,&inst-&server)&!=&LDAP_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&ldap_initialize()&failed&);
*result&=&RLM_MODULE_FAIL;
return&(NULL);
DEBUG(&rlm_ldap:&(re)connect&to&%s:%d,&authentication&%d&,&inst-&server,&inst-&port,&auth);
if&((ld&=&ldap_init(inst-&server,&inst-&port))&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&ldap_init()&failed&);
*result&=&RLM_MODULE_FAIL;
return&(NULL);
if&(ldap_set_option(ld,&LDAP_OPT_NETWORK_TIMEOUT,&(void&*)&&(inst-&net_timeout))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_NETWORK_TIMEOUT&%ld.%ld&,&inst-&net_timeout.tv_sec,&inst-&net_timeout.tv_usec);
if&(ldap_set_option(ld,&LDAP_OPT_TIMELIMIT,&(void&*)&&(inst-&timelimit))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_TIMELIMIT&%d&,&inst-&timelimit);
if&(inst-&ldap_debug&&&&ldap_set_option(NULL,&LDAP_OPT_DEBUG_LEVEL,&&(inst-&ldap_debug))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_DEBUG_LEVEL&%d&,&inst-&ldap_debug);
ldap_version&=&LDAP_VERSION3;
if&(ldap_set_option(ld,&LDAP_OPT_PROTOCOL_VERSION,&&ldap_version)&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP&version&to&V3&);
#ifdef&HAVE_LDAP_START_TLS
&&&&&&&&if(inst-&tls_mode)&{
DEBUG(&rlm_ldap:&setting&TLS&mode&to&%d&,&inst-&tls_mode);
&&&&&&&& if(ldap_set_option(ld,&LDAP_OPT_X_TLS,
&& &&&&&&&&&&&(void&*)&&(inst-&tls_mode))&!=&LDAP_OPT_SUCCESS)&{
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&could¬&set&LDAP_OPT_X_TLS&option&%s&,&ldap_err2string(ldap_errno));
if&(inst-&start_tls)&{
DEBUG(&rlm_ldap:&starting&TLS&);
rc&=&ldap_start_tls_s(ld,&NULL,&NULL);
if&(rc&!=&LDAP_SUCCESS)&{
DEBUG(&rlm_ldap:&ldap_start_tls_s()&);
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&could¬&start&TLS&%s&,&ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
#endif&/*&HAVE_LDAP_START_TLS&*/
if&(inst-&is_url){
DEBUG(&rlm_ldap:&bind&as&%s/%s&to&%s&,&dn,&password,&inst-&server);
DEBUG(&rlm_ldap:&bind&as&%s/%s&to&%s:%d&,&dn,&password,&inst-&server,&inst-&port);
msgid&=&ldap_bind(ld,&dn,&password,LDAP_AUTH_SIMPLE);
if&(msgid&==&-1)&{
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
if&(inst-&is_url)
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s&failed:&%s&,
& dn,&inst-&server,&ldap_err2string(ldap_errno));
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s:%d&failed:&%s&,
& dn,&inst-&server,&inst-&port,
& ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
DEBUG(&rlm_ldap:&waiting&for&bind&result&...&);
rc&=&ldap_result(ld,&msgid,&1,&&(inst-&timeout),&&res);
if(rc&&&1)&{
DEBUG(&rlm_ldap:&ldap_result()&);
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
if&(inst-&is_url)
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s&failed:&%s&,
dn,&inst-&server,&(rc&==&0)&?&&timeout&&:&ldap_err2string(ldap_errno));
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s:%d&failed:&%s&,
dn,&inst-&server,&inst-&port,
(rc&==&0)&?&&timeout&&:&ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
ldap_errno&=&ldap_result2error(ld,&res,&1);
switch&(ldap_errno)&{
case&LDAP_SUCCESS:
*result&=&RLM_MODULE_OK;
case&LDAP_INVALID_CREDENTIALS:
if&(auth)&
*result&=&RLM_MODULE_REJECT;
radlog(L_ERR,&&rlm_ldap:&LDAP&login&failed:&check&login,&password&settings&in&ldap§ion&of&radiusd.conf&);
*result&=&RLM_MODULE_FAIL;
if&(inst-&is_url)
radlog(L_ERR,&rlm_ldap:&%s&bind&to&%s&failed&%s&,
dn,&inst-&server,&ldap_err2string(ldap_errno));
radlog(L_ERR,&rlm_ldap:&%s&bind&to&%s:%d&failed&%s&,
dn,&inst-&server,&inst-&port,
ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
if&(*result&!=&RLM_MODULE_OK)&{
ldap_unbind_s(ld);
ld&=&NULL;
/*****************************************************************************
&* Detach&from&the&LDAP&server&and&cleanup&internal&state.
&*****************************************************************************/
static&int&
ldap_detach(void&*instance)
ldap_instance&&*inst&=&
TLDAP_RADIUS&*pair,&*
if&(inst-&server)
free((char&*)&inst-&server);
if&(inst-&login)
free((char&*)&inst-&login);
if&(inst-&password)
free((char&*)&inst-&password);
if&(inst-&basedn)
free((char&*)&inst-&basedn);
if&(inst-&dictionary_mapping)
free(inst-&dictionary_mapping);
if&(inst-&filter)
free((char&*)&inst-&filter);
if&(inst-&passwd_hdr)
free((char&*)&inst-&passwd_hdr);
if&(inst-&passwd_attr)
free((char&*)&inst-&passwd_attr);
if&(inst-&groupname_attr)
free((char&*)&inst-&groupname_attr);
if&(inst-&groupmemb_filt)
free((char&*)&inst-&groupmemb_filt);
if&(inst-&groupmemb_attr)
free((char&*)&inst-&groupmemb_attr);
if&(inst-&access_attr)
free((char&*)&inst-&access_attr);
if&(inst-&profile_attr)
free((char&*)&inst-&profile_attr);
if&(inst-&conns){
for(;i&inst-&num_i++){
if&(inst-&conns[i].ld){
ldap_unbind_s(inst-&conns[i].ld);
pthread_mutex_destroy(&inst-&conns[i].mutex);
free(inst-&conns);
pair&=&inst-&check_item_
while&(pair&!=&NULL)&{
nextpair&=&pair-&
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
pair&=&inst-&reply_item_
while&(pair&!=&NULL)&{
nextpair&=&pair-&
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
if&(inst-&atts)
free(inst-&atts);
paircompare_unregister(PW_LDAP_GROUP,&ldap_groupcmp);
xlat_unregister(inst-&xlat_name,ldap_xlat);
free(inst-&xlat_name);
free(inst);
#ifdef&FIELDCPY
static&void&
fieldcpy(char&*string,&char&**uptr)
char&&&&&&&&&&&*
while&(*ptr&==&'&'&||&*ptr&==&'t')&{
if&(*ptr&==&'&')&{
while&(*ptr&!=&'&'&&&&*ptr&!=&'�'&&&&*ptr&!=&'n')&{
*string++&=&*ptr++;
*string&=&'�';
if&(*ptr&==&'&')&{
while&(*ptr&!=&'&'&&&&*ptr&!=&'t'&&&&*ptr&!=&'�'&&&&*ptr&!=&'n'&&&
&&&&&&&*ptr&!=&'='&&&&*ptr&!=&',')&{
*string++&=&*ptr++;
*string&=&'�';
/*****************************************************************************
&* Get&RADIUS&attributes&from&LDAP&object
&* (&according&to&draft-adoba-radius-05.txt
&* &&&http://www.ietf.org/internet-drafts/draft-adoba-radius-05.txt&&)
&*****************************************************************************/
static&VALUE_PAIR&*
ldap_pairget(LDAP&*&ld,&LDAPMessage&*&entry,
&&&&&TLDAP_RADIUS&*&item_map,&VALUE_PAIR&**pairs,char&is_check)
char&&&&&&&&&&**
int&&&&&&&&&&&&&vals_
int&&&&&&&&&&&&&vals_
char&&&&&&&&&&&*
TLDAP_RADIUS&&&*
LRAD_TOKEN&&&&&&
int&&&&&&&&&&&&&is_generic_
char&&&&&&&&&&&&value[256];
VALUE_PAIR&&&&&*pairlist&=&NULL;
VALUE_PAIR&&&&&*newpair&=&NULL;
/*&check&if&there&is&a&mapping&from&this&LDAP&attribute&to&a&RADIUS&attribute&*/
for&(element&=&item_&element&!=&NULL;&element&=&element-&next)&{
if&((vals&=&ldap_get_values(ld,entry,element-&attr))&!=&NULL){
/*&check&whether&this&is&a&one-to-one-mapped&ldap&attribute&or&a&generic
&&&attribute&and&set&flag&accordingly&*/
if&(strcasecmp(element-&radius_attr,&GENERIC_ATTRIBUTE_ID)==0)
is_generic_attribute&=&1;
is_generic_attribute&=&0;
/*&find&out&how&many&values&there&are&for&the&attribute&and&extract&all&of&them&*/
vals_count&=&ldap_count_values(vals);
for&(vals_idx&=&0;&vals_idx&&&vals_&vals_idx++)&{
ptr&=&vals[vals_idx];
if&(is_generic_attribute)&{
/*&this&is&a&generic&attribute&*/
LRAD_TOKEN&&/*&makes&pairread&happy&*/
/*¬&sure&if&using&pairread&here&is&ok&...&*/
if&(&(newpair&=&pairread(&ptr,&&dummy))&!=&NULL)&{
DEBUG(&rlm_ldap:&extracted&attribute&%s&from&generic&item&%s&,&
&&&&&&newpair-&name,&vals[vals_idx]);
pairadd(&pairlist,&newpair);
radlog(L_ERR,&&rlm_ldap:&parsing&%s&failed:&%s&,&
&&&&&&&element-&attr,&vals[vals_idx]);
/*&this&is&a&one-to-one-mapped&attribute&*/
token&=&gettoken(&ptr,&value,&sizeof(value)&-&1);
if&(token&&&T_EQSTART&||&token&&&T_EQEND)&{
token&=&(is_check)&?&T_OP_CMP_EQ&:&T_OP_EQ;
gettoken(&ptr,&value,&sizeof(value)&-&1);
if&(value[0]&==&0)&{
DEBUG(&rlm_ldap:&Attribute&%s&has&no&value&,&element-&attr);
DEBUG(&rlm_ldap:&Adding&%s&as&%s,&value&%s&&&op=%d&,&element-&attr,&element-&radius_attr,&value,&token);
if&((newpair&=&pairmake(element-&radius_attr,&value,&token))&==&NULL)
if&(!&vals_idx){
pairdelete(pairs,newpair-&attribute);
pairadd(&pairlist,&newpair);
ldap_value_free(vals);
return&(pairlist);
/*&globally&exported&name&*/
module_t&&&&&&&&rlm_ldap&=&{
RLM_TYPE_THREAD_SAFE, /*&type:&reserved& &*/
/*&initialization& &*/
ldap_instantiate, /*&instantiation& &*/
ldap_authenticate, /*&authentication& &*/
ldap_authorize,
/*&authorization& &*/
/*&preaccounting& &*/
/*&accounting&
/*&checksimul&
/*&pre-proxy&
/*&post-proxy&
/*&post-auth&
ldap_detach,
/*&detach&
/*&destroy&
CopyRight &
verySource.Com All Rights reserved. 京公网安备:88}
当前位置:
& 查看源码
rlm_ldap.c
rlm_ldap.c:源码内容
&*&rlm_ldap.c&LDAP&authorization&and&authentication&module.
&*&This&module&is&based&on&LDAP&patch&to&Cistron&radiusd&by&James&Golovich&
&*&&&,&which&in&turn&was&based&mostly&on&a&Mysql+Cistron&patch&
&*&from&&&
&*&17&Jan&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&
&* -&OpenLDAP&SDK&porting,&basic&TLS&support,&LDAP&authorization,
&* &&fault&tolerance&with&multiple&LDAP&server&support&
&*&24&May&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&&
&* -&Converting&to&new&configuration&file&format,&futher&improvements
&* &&in&fault&tolerance,&threaded&operation
&*&12&Dec&2000, Adrian&Pavlykevych&&pam@polynet.lviv.ua&&
&* -&Added&preliminary&support&for&multiple&instances
&*& -&moved&all&instance&configuration&into&dynamicly&allocated&structure
&* -&Removed&connection&maintenance&thread&and&all&attempts&for&multihreading
&* &&the&module&itself.&OpenLDAP&SDK&is¬&thread&safe&when&used&with&shared
&* &&LDAP&connection.
&* -&Added&configuration&option&for&defining&LDAP&attribute&of&user&object,
&* &&which&controls&remote&access.
&*&16&Feb&2001,&Hannu&Laurila&&hannu.laurila@japo.fi&
&*& -&LDAP&-&RADIUS&attribute&mappings&are&now&read&from&a&file
&*&& -&Support&for&generic&RADIUS&check&and&reply&attribute.
&*&Jun&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix:&check&and&reply&attributes&from&LDAP&_replace_&existing&ones
&* -&Added&&default_profile&&directive,&which&points&to&radiusProfile&
&* &&object,&which&contains&default&values&for&RADIUS&users
&* -&Added&&profile_attribute&&directive,&which&specifies&user&object&
&* &&attribute&pointing&to&radiusProfile&object.
&*&Nov&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Added&support&for&adding&the&user&password&to&the&check.&Based&on
&* &&the&password_header&directive&rlm_ldap&will&strip&the
&* &&password&header&if&needed.&This&will&make&support&for&CHAP&much&easier.
&* -&Added&module&messages&when&we&reject&a&user.
&* -&Added&ldap_groupcmp&to&allow&searching&for&user&group&membership.
&* -&Added&ldap_xlat&to&allow&ldap&urls&in&xlat&strings.&Something&like:
&* &&%{ldap:ldap:///dc=company,dc=com?cn?sub?uid=user}
&*&Nov&2001,&Gordon&Tetlow&&gordont@gnf.org&
&* -&Do&an&xlat&on&the&access_group&attribute.
&*&Dec&2001,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Added&ldap&caching&for&the&default/regular&profiles&and&group&entries.
&* -&Fixed&a&memory&leak&in&ldap_xlat.
&* -&Removed&dict_attrbyname&from&ldap_pairget.&They&are¬&needed.
&* -&Moved&the&radius_xlat's&for&filter&and&basedn&in&ldap_authenticate()&to
&* &&the&right&place.
&* -&Made&the&module&thread&safe.&We&create&a&connection&pool&and&each&thread
&* &&will&call&ldap_get_conn&to&lock&one&of&the&ldap&connections&and&release&with
&* &&a&call&to&ldap_release_conn&when&it&has&finished.
&* -&Request&only&the&user&attributes&that&interest&us&(radius&attributes,regular
&* &&profile,user&password&and&access&attribute).
&*&Mar&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fixed&a&bug&where&the&ldap&server&will&kill&the&idle&connections&from&the&ldap
&* &&connection&pool.&We&now&check&if&ldap_search&returns&LDAP_SERVER_DOWN&and&try&to
&* &&reconnect&if&it&does.&Bug¬ed&by&Dan&Perik&&dan_perik-work@ntm.org.pg&
&*&May&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Instead&of&the&Group&attribute&we&now&have&the&Ldap-Group&attribute,&to&avoid
&* &&collisions&with&other&modules
&* -&If&perform_search&fails&check&the&ld&!=&NULL&before&using&it.&Based&on&a&bug&report
&* &&by&John&&&
&*&Jun&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&the&ability&to&do&a&paircmp&on&the&check&items.&Add&a&compare_check_items&boolean
&* &&configuration&directive&which&defaults&to&no.&If&it&is&set&then&we&will&do&a&compare
&* -&Add&another&configuration&directive.&access_attr_used_for_allow.&If&it&is&set&to&yes
&* &&then&the&access_attr&will&be&used&to&allow&user&access.&If&it&is&set&to&no&then&it&will
&* &&be&used&to&deny&user&access.
&* -&Remember&to&free&inst-&atts&in&ldap_detach()
&* -&Add&a&forgotten&ldap_free_urldesc&in&ldap_xlat()
&* -&Add&a&variable&locked&in&the&LDAP_CONN&structure.&We&use&this&to&avoid&deadlocks.&The&mutex
&* &&we&are&using&is&of&type&fast&and&can&deadlock&if&the&same&thread&tries&to&relock&it.&That
&* &&could&happen&in&case&of&calls&to&xlat.
&* -&When&ldap_search&returns&NO_SUCH_OBJECT&don't&return&fail&but¬found
&*&Jul&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix&the&logic&when&we&get&an&LDAP_SERVER_DOWN&or&we&have&conn-&ld&==&NULL&in&perform_search
&* -&Try&to&minimize&the&penalty&of&having&the&ldap&server&go&down.&The&comments&before
&* &&MAX_FAILED_CONNS_*&definitions&should&explain&things.
&* -&Check&for&a&number&of&error&codes&from&ldap_search&and&log&corresponding&error&messages
&* &&We&should&only&reconnect&when&that&can&help&things.
&* -&In&ldap_groupcmp&instead&of&first&searching&for&the&group&object&and&then&checking&user
&* &&group&membership&combine&them&in&one&ldap&search&operation.&That&should&make&group
&* &&membership&checks&a&lot&faster.
&* -&Remember&to&do&ldap_release_conn&and&ldap_msgfree&when&we&do&paircmp&and&the&result&is&reject
&*&Aug&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&support&for&group&membership&attribute&inside&the&user&entry&in&ldap_groupcmp.&The&attribute
&* &&can&either&contain&the&name&or&the&DN&of&the&group.&Added&the&groupmembership_attribute
&* &&configuration&directive
&* -&Move&the&ldap_{get,release}_conn&in&ldap_groupcmp&so&that&we&hold&a&connection&for&the&minimum&time.
&* -&Now&that&ldap_groupcmp&is&complete&we&really&don't&need&access_group.&Removed&it.
&* -&Remember&to&free&groupmembership_attribute&in&ldap_detach
&* -&Don't&delete&existing&generic&attributes&in&ldap_pairget&when&adding&new&ones.&Since&generic&attributes
&* &&have&operators&we&don't&need&to&try&to&be&cleaver.
&*&Sep&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Fix&a&crash&in&ldap_pairget&when&the&attribute&value&is&larger&than&the&buffer&size
&* &&Bug&report&by&Stefan&Radovanovici&&&
&* -&If&we&add&a&check&item&then&use&the&==&operator.&Based&on&an&idea&by&Allister&Maguire&&.nz&
&* -&Only&add&a&failure&message&for&bind&as&user&failed&in&ldap_authenticate&if&the&result&of&ldap_connect&was
&* &&RLM_MODULE_REJECT
&* -&Make&tls_mode&a&configurable&option.&Patch&from&John&&&
&* -&Allow&multiple®ular&profiles&for&an&entry
&*&Oct&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Disable&cache&after&searching&for&the&default&profile
&* -&Use&the&MAX_FAILED_CONNS_*&in&ldap_authenticate()&when&calling&ldap_connect()
&*&Nov&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Set&LDAP&version&to&V3&before&binding.&Now&freeradius&should&work&with&openldap21
&*&Dec&2002,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Set&default&values&for&the&server&and&basedn¶meters
&*&Feb&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Add&support&for&ldap_initialize.&That&way&we&can&specify&the&server&as&an&ldap&url.
&* &&Based&on&ideas&from&Derrik&Pates&&&
&*&Mar&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&*& -&Add&an&ldap_escape_func.&Escape&the&*&character&from&the&filter&so&that&we&can&avoid
&*& &&the&trivial&DoS&of&username=*
&*& -&Remove&the&caching&code.&It&does¬&exist&in&openldap21.
&* &&Based&on&a&report&from&Mike&Denka&&&
&*&May&2003,&Kostas&Kalevras&&kkalev@noc.ntua.gr&
&* -&Don't&do&a&double&free&on&the&attribute&maps.&Bug¬ed&by&Derrik&Pates&&&
&* -&Apply&a&patch&from&Alexander&M.&Pravking&&fduch@antar.bryansk.ru&&to&do&an&xlat&on&the
&* &&retrieved&attributes.
static&const&char&rcsid[]&=&&$Id:&rlm_ldap.c,v&1.108&&19:07:08&aland&Exp&$&;
#include&&autoconf.h&
#include &sys/types.h&
#include &sys/socket.h&
#include &sys/time.h&
#include &netinet/in.h&
#include &stdio.h&
#include &stdlib.h&
#include &netdb.h&
#include &pwd.h&
#include &time.h&
#include &ctype.h&
#include &string.h&
#include &lber.h&
#include&&&&&&&&&ldap.h&
#include &errno.h&
#include &unistd.h&
#include &pthread.h&
#include&&&&&&&&&libradius.h&
#include &radiusd.h&
#include &conffile.h&
#include &modules.h&
#include &rad_assert.h&
#define&MAX_FILTER_STR_LEN 1024
#define&TIMELIMIT&5
&*&These&are&used&in&case&ldap_search&returns&LDAP_SERVER_DOWN
&*&In&that&case&we&do&conn-&failed_conns++&and&then&check&it:
&*&If&conn-&failed_conns&&=&MAX_FAILED_CONNS_START&then&we&try
&*&to&reconnect
&*&conn-&failed_conns&is&also&checked&on&entrance&in&perform_search:
&*&If&conn-&failed_conns&&&MAX_FAILED_CONNS_START&then&we&don't
&*&try&to&do&anything&and&we&just&do&conn-&failed_conns++&and
&*&return&RLM_MODULE_FAIL
&*&if&conn-&failed_conns&&=&MAX_FAILED_CONNS_END&then&we&give&it
&*&another&chance&and&we&set&it&to&MAX_FAILED_CONNS_RESTART&and
&*&try&to&reconnect.
&*&We&are&assuming&that&the&majority&of&the&LDAP_SERVER_DOWN&cases
&*&will&either&be&an&ldap&connection&timeout&or&a&temporary&ldap
&*&server&problem.
&*&As&a&result&we&make&a&few&attempts&to&reconnect&hoping&that&the&problem
&*&will&soon&go&away.&If&it&does¬&go&away&then&we&just&return
&*&RLM_MODULE_FAIL&on&entrance&in&perform_search&until&conn-&failed_conns
&*&gets&to&MAX_FAILED_CONNS_END.&After&that&we&give&it&one&more&chance&by
&*&going&back&to&MAX_FAILED_CONNS_RESTART
#define&MAX_FAILED_CONNS_END
#define&MAX_FAILED_CONNS_RESTART 4
#define&MAX_FAILED_CONNS_START
/*&linked&list&of&mappings&between&RADIUS&attributes&and&LDAP&attributes&*/
struct&TLDAP_RADIUS&{
char*&&&&&&&&&&&&&&&&&
char*&&&&&&&&&&&&&&&&&radius_
struct&TLDAP_RADIUS*&&
typedef&struct&TLDAP_RADIUS&TLDAP_RADIUS;
typedef&struct&ldap_conn&{
pthread_mutex_t
}&LDAP_CONN;
typedef&struct&{
char&&&&&&&&&&&*
int&&&&&&&&&&&&&
int&&&&&&&&&&&&&
struct&timeval&&net_
struct&timeval&&
int&&&&&&&&&&&&&
int&&&&&&&&&&&&&tls_
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*
char&&&&&&&&&&&*default_
char&&&&&&&&&&&*profile_
char&&&&&&&&&&&*access_
char&&&&&&&&&&&*passwd_
char&&&&&&&&&&&*passwd_
char&&&&&&&&&&&*dictionary_
char &&&&&&&*groupname_
char &&&&&&&*groupmemb_
char&&&&&&&&&&&*groupmemb_
TLDAP_RADIUS&&&*check_item_
TLDAP_RADIUS&&&*reply_item_
LDAP_CONN *
int&&&&&&&&&&&&&ldap_&/*&Debug&flag&for&LDAP&SDK&*/
*xlat_&/*&name&used&to&xlat&*/
}&&&&&&&&&&&&&&&ldap_
static&CONF_PARSER&module_config[]&=&{
{&server&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,server),&NULL,&&localhost&},
{&port&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,port),&NULL,&&389&},
/*&wait&forever&on&network&activity&*/
{&net_timeout&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,net_timeout.tv_sec),&NULL,&&10&},
/*&wait&forever&for&search&results&*/
{&timeout&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,timeout.tv_sec),&NULL,&&20&},
/*&allow&server&unlimited&time&for&search&(server-side&limit)&*/
{&timelimit&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,timelimit),&NULL,&&20&},
{&identity&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,login),&NULL,&&&},
{&start_tls&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,start_tls),&NULL,&&no&},
{&password&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,password),&NULL,&&&},
{&basedn&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,basedn),&NULL,&&o=notexist&},
{&filter&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,filter),&NULL,&&(uid=%u)&},
{&default_profile&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,default_profile),&NULL,&NULL},
{&profile_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,profile_attr),&NULL,&NULL},
{&password_header&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,passwd_hdr),&NULL,&NULL},
{&password_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,passwd_attr),&NULL,&NULL},
/*&LDAP&attribute&name&that&controls&remote&access&*/
{&access_attr&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,access_attr),&NULL,&NULL},
/*&file&with&mapping&between&LDAP&and&RADIUS&attributes&*/
{&groupname_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupname_attr),&NULL,&&cn&},
{&groupmembership_filter&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupmemb_filt),&NULL,&&(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))&},
{&groupmembership_attribute&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,groupmemb_attr),&NULL,&NULL},
{&dictionary_mapping&,&PW_TYPE_STRING_PTR,&offsetof(ldap_instance,dictionary_mapping),&NULL,&&${confdir}/ldap.attrmap&},
{&ldap_debug&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,ldap_debug),&NULL,&&0x0000&},
{&ldap_connections_number&,&PW_TYPE_INTEGER,&offsetof(ldap_instance,num_conns),&NULL,&&5&},
{&compare_check_items&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,do_comp),&NULL,&&no&},
{&access_attr_used_for_allow&,&PW_TYPE_BOOLEAN,&offsetof(ldap_instance,default_allow),&NULL,&&yes&},
{NULL,&-1,&0,&NULL,&NULL}
#define&ld_valid&&&&&&&&&&&&&&&&ld_options.ldo_valid
#define&LDAP_VALID_SESSION&&&&&&0x2
#define&LDAP_VALID(ld)&&(&(ld)-&ld_valid&==&LDAP_VALID_SESSION&)
#ifdef&FIELDCPY
static&void&&&&&fieldcpy(char&*,&char&**);
static&VALUE_PAIR&*ldap_pairget(LDAP&*,&LDAPMessage&*,&TLDAP_RADIUS&*,VALUE_PAIR&**,char);
static&int&ldap_groupcmp(void&*,&REQUEST&*,&VALUE_PAIR&*,&VALUE_PAIR&*,&VALUE_PAIR&*,&VALUE_PAIR&**);
static&int&ldap_xlat(void&*,REQUEST&*,&char&*,&char&*,int,&RADIUS_ESCAPE_STRING);
static&LDAP&&&&*ldap_connect(void&*instance,&const&char&*,&const&char&*,&int,&int&*);
static&int&&&&&read_mappings(ldap_instance*&inst);
static&inline&int&ldap_get_conn(LDAP_CONN&*conns,LDAP_CONN&**ret,void&*instance)
ldap_instance&*inst&=&
register&int&i&=&0;
for(;i&inst-&num_i++){
if&(conns[i].locked&==&0&&&&pthread_mutex_trylock(&(conns[i].mutex))&==&0){
*ret&=&&conns[i];
conns[i].locked&=&1;
DEBUG(&ldap_get_conn:&Got&Id:&%d&,i);
return&-1;
static&inline&void&ldap_release_conn(int&i,&LDAP_CONN&*conns)
DEBUG(&ldap_release_conn:&Release&Id:&%d&,i);
conns[i].locked&=&0;
pthread_mutex_unlock(&(conns[i].mutex));
/*************************************************************************
&* Function:&rlm_ldap_instantiate
&* Purpose:&Uses§ion&of&radiusd&config&file&passed&as¶meter
&to&create&an&instance&of&the&module.
&*************************************************************************/
static&int&
ldap_instantiate(CONF_SECTION&*&conf,&void&**instance)
ldap_instance&&*
int&i&=&0;
int&atts_num&=&0;
int&reply_map_num&=&0;
int&check_map_num&=&0;
int&att_map[3]&=&{0,0,0};
TLDAP_RADIUS&*
char&*xlat_
inst&=&rad_malloc(sizeof&*inst);
if&(!inst)&{
return&-1;
memset(inst,&0,&sizeof(*inst));
if&(cf_section_parse(conf,&inst,&module_config)&&&0)&{
free(inst);
return&-1;
if&(inst-&server&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&missing&'server'&directive.&);
free(inst);
return&-1;
inst-&is_url&=&0;
#ifdef&HAVE_LDAP_INITIALIZE
if&(ldap_is_ldap_url(inst-&server)){
inst-&is_url&=&1;
inst-&port&=&0;
inst-&timeout.tv_usec&=&0;
inst-&net_timeout.tv_usec&=&0;
/*&workaround&for&servers&which&support&LDAPS&but¬&START&TLS&*/
if(inst-&port&==&LDAPS_PORT)
inst-&tls_mode&=&LDAP_OPT_X_TLS_HARD;
inst-&tls_mode&=&0;
inst-&reply_item_map&=&NULL;
inst-&check_item_map&=&NULL;
inst-&conns&=&NULL;
inst-&failed_conns&=&0;
paircompare_register(PW_LDAP_GROUP,&PW_USER_NAME,&ldap_groupcmp,&inst);
DEBUG(&conns:&%p&,inst-&conns);
xlat_name&=&cf_section_name2(conf);
if&(xlat_name&==&NULL)&{
xlat_name&=&cf_section_name1(conf);
rad_assert(xlat_name&!=&NULL);&/*&or&all&hell&breaks&loose&*/
inst-&xlat_name&=&strdup(xlat_name);
xlat_register(xlat_name,ldap_xlat,inst);
if&(inst-&num_conns&&=&0){
radlog(L_ERR,&&rlm_ldap:&Invalid&ldap&connections&number&passed.&);
free(inst);
return&-1;
inst-&conns&=&(LDAP_CONN&*)malloc(sizeof(LDAP_CONN)*inst-&num_conns);
if&(inst-&conns&==&NULL){
radlog(L_ERR,&&rlm_ldap:&Could¬&allocate&memory.&Aborting.&);
free(inst);
return&-1;
for(;i&inst-&num_i++){
inst-&conns[i].bound&=&0;
inst-&conns[i].locked&=&0;
inst-&conns[i].failed_conns&=&0;
inst-&conns[i].ld&=&NULL;
pthread_mutex_init(&inst-&conns[i].mutex,&NULL);
if&(read_mappings(inst)&!=&0)&{
radlog(L_ERR,&&rlm_ldap:&Reading&dictionary&mappings&from&file&%s&failed&,
&&&&&&&inst-&dictionary_mapping);
radlog(L_ERR,&&rlm_ldap:&Proceeding&with&no&mappings&);
pair&=&inst-&check_item_
while(pair&!=&NULL){
atts_num++;
pair&=&pair-&
check_map_num&=&(atts_num&-&1);
pair&=&inst-&reply_item_
while(pair&!=&NULL){
atts_num++;
pair&=&pair-&
reply_map_num&=&(atts_num&-&1);
if&(inst-&profile_attr)
atts_num++;
if&(inst-&passwd_attr)
atts_num++;
if&(inst-&access_attr)
atts_num++;
inst-&atts&=&(char&**)malloc(sizeof(char&*)*(atts_num&+&1));
if&(inst-&atts&==&NULL){
radlog(L_ERR,&&rlm_ldap:&Could¬&allocate&memory.&Aborting.&);
free(inst);
return&-1;
pair&=&inst-&check_item_
for(i=0;i&atts_i++){
if&(i&&=&check_map_num&){
inst-&atts[i]&=&pair-&
if&(i&==&check_map_num)
pair&=&inst-&reply_item_
pair&=&pair-&
else&if&(i&&=&reply_map_num){
inst-&atts[i]&=&pair-&
pair&=&pair-&
if&(inst-&profile_attr&&&&!att_map[0]){
inst-&atts[i]&=&inst-&profile_
att_map[0]&=&1;
else&if&(inst-&passwd_attr&&&&!att_map[1]){
inst-&atts[i]&=&inst-&passwd_
att_map[1]&=&1;
else&if&(inst-&access_attr&&&&!att_map[2]){
inst-&atts[i]&=&inst-&access_
att_map[2]&=&1;
inst-&atts[atts_num]&=&NULL;
DEBUG(&conns:&%p&,inst-&conns);
*instance&=&
&*&read_mappings(...)&reads&a&ldap&-&radius&mappings&file&to&inst-&reply_item_map&and&inst-&check_item_map
#define&MAX_LINE_LEN&160
#define&GENERIC_ATTRIBUTE_ID&&$GENERIC$&
static&int
read_mappings(ldap_instance*&inst)
/*&all&buffers&are&of&MAX_LINE_LEN&so&we&can&use&sscanf&without&being&afraid&of&buffer&overflows&*/
char&buf[MAX_LINE_LEN],&itemType[MAX_LINE_LEN],&radiusAttribute[MAX_LINE_LEN],&ldapAttribute[MAX_LINE_LEN];
/*&open&the&mappings&file&for&reading&*/
filename&=&inst-&dictionary_
DEBUG(&rlm_ldap:&reading&ldap&-&radius&mappings&from&file&%s&,&filename);
mapfile&=&fopen(filename,&&r&);
if&(mapfile&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&Opening&file&%s&failed&,&filename);
return&-1;&/*&error&*/
/*&read&file&line&by&line.&Note&that&if&line&length&exceed&MAX_LINE_LEN,&line&numbers&will&be&mixed&up&*/
linenumber&=&0;
while&(fgets(buf,&sizeof&buf,&mapfile)!=NULL)&{
int&token_
TLDAP_RADIUS*&
linenumber++;
/*&strip&comments&*/
ptr&=&strchr(buf,&'#');
if&(ptr)&*ptr&=&0;
/*&empty&line&*/
if&(buf[0]&==&0)&
/*&extract&tokens&from&the&string&*/
token_count&=&sscanf(buf,&&%s&%s&%s&,&itemType,&radiusAttribute,&ldapAttribute);
if&(token_count&&=&0)&/*&no&tokens&*/
if&(token_count&!=&3)&{
radlog(L_ERR,&&rlm_ldap:&Skipping&%s&line&%i:&%s&,&filename,&linenumber,&buf);
radlog(L_ERR,&&rlm_ldap:&Expected&3&tokens&&
&&&&&&&&(Item&type,&RADIUS&Attribute&and&LDAP&Attribute)&but&found&only&%i&,&token_count);
/*&create&new&TLDAP_RADIUS&list&node&*/
pair&=&rad_malloc(sizeof(TLDAP_RADIUS));
pair-&attr&=&strdup(ldapAttribute);
pair-&radius_attr&=&strdup(radiusAttribute);
if&(&(pair-&attr&==&NULL)&||&(pair-&radius_attr&==&NULL)&)&{
radlog(L_ERR,&&rlm_ldap:&Out&of&memory&);
if&(pair-&attr)&free(pair-&attr);
if&(pair-&radius_attr)&free(pair-&radius_attr);
free(pair);
fclose(mapfile);
return&-1;
/*&push&node&to&correct&list&*/
if&(strcasecmp(itemType,&&checkItem&)&==&0)&{
pair-&next&=&inst-&check_item_
inst-&check_item_map&=&
}&else&if&(strcasecmp(itemType,&&replyItem&)&==&0)&{
pair-&next&=&inst-&reply_item_
inst-&reply_item_map&=&
radlog(L_ERR,&&rlm_ldap:&file&%s:&skipping&line&%i:&unknown&itemType&%s&,&
&&&&&&&filename,&linenumber,&itemType);
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
DEBUG(&rlm_ldap:&LDAP&%s&mapped&to&RADIUS&%s&,
&&&&&&pair-&attr,&pair-&radius_attr);
fclose(mapfile);
return&0;&/*&success&*/
static&int&
perform_search(void&*instance,&LDAP_CONN&*conn,&char&*search_basedn,&int&scope,&char&*filter,&
char&**attrs,&LDAPMessage&**&result)
int&&&&&&&&&&&&&res&=&RLM_MODULE_OK;
ldap_errno&=&0;
ldap_instance&&*inst&=&
search_retry&=&0;
*result&=&NULL;
if&(!conn){
radlog(L_ERR,&&rlm_ldap:&NULL&connection&handle&passed&);
return&RLM_MODULE_FAIL;
if&(conn-&failed_conns&&&MAX_FAILED_CONNS_START){
conn-&failed_conns++;
if&(conn-&failed_conns&&=&MAX_FAILED_CONNS_END){
conn-&failed_conns&=&MAX_FAILED_CONNS_RESTART;
conn-&bound&=&0;
if&(!conn-&bound&||&conn-&ld&==&NULL)&{
DEBUG2(&rlm_ldap:&attempting&LDAP&reconnection&);
if&(conn-&ld){
DEBUG2(&rlm_ldap:&closing&existing&LDAP&connection&);
ldap_unbind_s(conn-&ld);
if&((conn-&ld&=&ldap_connect(instance,&inst-&login,&inst-&password,&0,&&res))&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&(re)connection&attempt&failed&);
if&(search_retry&==&0)
conn-&failed_conns++;
return&(RLM_MODULE_FAIL);
conn-&bound&=&1;
conn-&failed_conns&=&0;
DEBUG2(&rlm_ldap:&performing&search&in&%s,&with&filter&%s&,&search_basedn&?&search_basedn&:&&(null)&&,&filter);
switch&(ldap_search_st(conn-&ld,&search_basedn,&scope,&filter,&attrs,&0,&&(inst-&timeout),&result))&{
case&LDAP_SUCCESS:
case&LDAP_NO_SUCH_OBJECT:
case&LDAP_SERVER_DOWN:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&LDAP&connection&lost.&);
conn-&failed_conns++;
if&(search_retry&==&0){
if&(conn-&failed_conns&&=&MAX_FAILED_CONNS_START){
radlog(L_INFO,&&rlm_ldap:&Attempting&reconnect&);
search_retry&=&1;
conn-&bound&=&0;
ldap_msgfree(*result);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_INSUFFICIENT_ACCESS:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&Insufficient&access.&Check&the&identity&and&password&configuration&directives.&);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_TIMEOUT:
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&Timed&out&while&waiting&for&server&to&respond.&Please&increase&the&timeout.&);
ldap_msgfree(*result);
return&RLM_MODULE_FAIL;
case&LDAP_TIMELIMIT_EXCEEDED:
case&LDAP_BUSY:
case&LDAP_UNAVAILABLE:
/*&We&don't&need&to&reconnect&in&these&cases&so&we&don't&set&conn-&bound&*/
ldap_get_option(conn-&ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&%s&,&ldap_err2string(ldap_errno));
ldap_msgfree(*result);
return&(RLM_MODULE_FAIL);
ldap_get_option(conn-&ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&ldap_search()&failed:&%s&,&ldap_err2string(ldap_errno));
conn-&bound&=&0;
ldap_msgfree(*result);
return&(RLM_MODULE_FAIL);
if&((ldap_count_entries(conn-&ld,&*result))&!=&1)&{
DEBUG(&rlm_ldap:&object¬&found&or&got&ambiguous&search&result&);
res&=&RLM_MODULE_NOTFOUND;
ldap_msgfree(*result);
&* Translate&the&LDAP&queries.
static&int&ldap_escape_func(char&*out,&int&outlen,&const&char&*in)
int&len&=&0;
while&(in[0])&{
&*&&Only&one&byte&left.
if&(outlen&&=&1)&{
if&(strchr(&*&,&*in))&{
&* Else&it's&a&nice&character.
*out&=&'�';
&*&ldap_groupcmp().&Implement&the&Ldap-Group&==&&group&&filter
static&int&ldap_groupcmp(void&*instance,&REQUEST&*req,&VALUE_PAIR&*request,&VALUE_PAIR&*check,
&&&&&&&&&&&&&&&&VALUE_PAIR&*check_pairs,&VALUE_PAIR&**reply_pairs)
&&&&&&&&char&&&&&&&&&&&&filter[MAX_FILTER_STR_LEN];
&&&&&&&&char&&&&&&&&&&&&gr_filter[MAX_FILTER_STR_LEN];
&&&&&&&&int&&&&&&&&&&&&&
&&&&&&&&LDAPMessage&&&&&*result&=&NULL;
&&&&&&&&LDAPMessage&&&&&*msg&=&NULL;
&&&&&&&&char&&&&&&&&&&&&basedn[MAX_FILTER_STR_LEN];
*attrs[]&=&{&dn&,NULL};
&&&&&&&&ldap_instance&&&*inst&=&
*group_attrs[]&=&{inst-&groupmemb_attr,NULL};
LDAP_CONN *
conn_id&=&-1;
VALUE_PAIR *vp_user_
VALUE_PAIR&&&&&&**request_
request_pairs&=&&req-&packet-&
DEBUG(&rlm_ldap:&Entering&ldap_groupcmp()&);
if&(check-&strvalue&==&NULL&||&check-&length&==&0){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&Illegal&group&name&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&if&(req&==&NULL){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&NULL&request&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,&req,&NULL))&{
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&basedn.&);
&&&&&&&&&&&&&&&&return&1;
&&&&&&&&while((vp_user_dn&=&pairfind(*request_pairs,&PW_LDAP_USERDN))&==&NULL){
&&&&&&&&&&&&&&&&char&&&&&&&&&&&&*user_dn&=&NULL;
&&&&&&&&&&&&&&&&if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
req,&ldap_escape_func)){
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&filter&);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
&&&&&&&&&&&&&&&&if&((res&=&perform_search(inst,&conn,&basedn,&LDAP_SCOPE_SUBTREE,
filter,&attrs,&&result))&!=&RLM_MODULE_OK){
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&search&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
&&&&&&&&&&&&&&&&if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_first_entry()&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
&&&&&&&&&&&&&&&&if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
&&&&&&&&&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap:ldap_groupcmp::&ldap_get_dn()&failed&);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&&&&&&&&&&&&&&&&&return&1;
&&&&&&&&&&&&&&&&}
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&&&&&&&&&/*
&&&&&&&&&&&&&&&&*&Adding&new&attribute&containing&DN&for&LDAP&object&associated&with
&&&&&&&&&&&&&&&&*&given&username
&&&&&&&&&&&&&&&&*/
&&&&&&&&&&&&&&&&pairadd(request_pairs,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
&&&&&&&&&&&&&&&&ldap_memfree(user_dn);
&&&&&&&&&&&&&&&&ldap_msgfree(result);
&&&&&&&&if(!radius_xlat(gr_filter,&sizeof(gr_filter),&inst-&groupmemb_filt,&req,&NULL)){
&&&&&&&&&&&&&&&&DEBUG(&rlm_ldap::ldap_groupcmp:&unable&to&create&filter.&);
&&&&&&&&&&&&&&&&return&1;
if&(strchr((char&*)check-&strvalue,',')&!=&NULL)&{
/*&This&looks&like&a&DN&*/
snprintf(filter,sizeof(filter),&&%s&,gr_filter);
snprintf(basedn,sizeof(basedn),&&%s&,(char&*)check-&strvalue);
snprintf(filter,sizeof(filter),&&(&(%s=%s)%s)&,inst-&groupname_attr,(char&*)check-&strvalue,gr_filter);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
if&((res&=&perform_search(inst,&conn,&basedn,&LDAP_SCOPE_SUBTREE,
filter,&attrs,&&result))&==&RLM_MODULE_OK){
DEBUG(&rlm_ldap::ldap_groupcmp:&User&found&in&group&%s&,
(char&*)check-&strvalue);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&& return&0;
ldap_release_conn(conn_id,inst-&conns);
if&(res&!=&RLM_MODULE_NOTFOUND&)&{
DEBUG(&rlm_ldap::ldap_groupcmp:&Search&returned&error&);
if&(inst-&groupmemb_attr&==&NULL){
/*&search&returned&NOTFOUND&and&searching&for&membership&
&*&using&user&object&attributes&is¬&specified&in&config
DEBUG(&rlm_ldap::ldap_groupcmp:&Group&%s¬&found&or&user&is¬&a&member.&,(char&*)check-&strvalue);
snprintf(filter,sizeof(filter),&&(objectclass=*)&);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&Add&ldap&connections&are&in&use&);
if&((res&=&perform_search(inst,&conn,&vp_user_dn-&strvalue,&LDAP_SCOPE_BASE,
filter,&group_attrs,&result))&!=&RLM_MODULE_OK){
DEBUG(&rlm_ldap::ldap_groupcmp:&Search&returned&error&);
ldap_release_conn(conn_id,&inst-&conns);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_first_entry()&failed&);
ldap_release_conn(conn_id,inst-&conns);
ldap_msgfree(result);
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&groupmemb_attr))&!=&NULL)&{
unsigned&int&i&=&0;
char&found&=&0;
for&(;i&&&ldap_count_values(vals);i++){
if&(strchr(vals[i],',')&!=&NULL){&
/*&This&looks&like&a&DN&*/
LDAPMessage&*gr_result&=&NULL;
snprintf(filter,sizeof(filter),&&(%s=%s)&,
inst-&groupname_attr,
(char&*)check-&strvalue);
if&((res&=&perform_search(inst,&conn,&vals[i],
LDAP_SCOPE_BASE,&filter,
attrs,&&gr_result))&!=&RLM_MODULE_OK){
if&(res&!=&RLM_MODULE_NOTFOUND){
DEBUG(&rlm_ldap::ldap_groupcmp:&
Search&returned&error&);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
ldap_msgfree(gr_result);
found&=&1;
if&(strcmp(vals[i],(char&*)check-&strvalue)&==&0){
found&=&1;
ldap_value_free(vals);
ldap_msgfree(result);
if&(found&==&0){
DEBUG(&rlm_ldap::groupcmp:&Group&%s¬&found&
or&user¬&a&member&,
(char&*)check-&strvalue);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap::ldap_groupcmp:&ldap_get_values()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap::ldap_groupcmp:&User&found&in&group&%s&,(char&*)check-&strvalue);
ldap_release_conn(conn_id,inst-&conns);
&&&&&&&&return&0;
&*&ldap_xlat()
&*&Do&an&xlat&on&an&LDAP&URL
static&int&ldap_xlat(void&*instance,&REQUEST&*request,&char&*fmt,&char&*out,&int&freespace,
RADIUS_ESCAPE_STRING&func)
char&url[MAX_FILTER_STR_LEN];
int&ret&=&0;
ldap_instance&*inst&=&
LDAPURLDesc&*ldap_
LDAPMessage&*result&=&NULL;
LDAPMessage&*msg&=&NULL;
int&conn_id&=&-1;
LDAP_CONN&*
DEBUG(&rlm_ldap:&-&ldap_xlat&);
if&(!radius_xlat(url,&sizeof(url),&fmt,&request,&func))&{
radlog&(L_ERR,&&rlm_ldap:&Unable&to&create&LDAP&URL.n&);
if&(!ldap_is_ldap_url(url)){
radlog&(L_ERR,&&rlm_ldap:&String&passed&does¬&look&like&an&LDAP&URL.n&);
if&(ldap_url_parse(url,&ldap_url)){
radlog&(L_ERR,&&rlm_ldap:&LDAP&URL&parse&failed.n&);
if&(ldap_url-&lud_attrs&==&NULL&||&ldap_url-&lud_attrs[0]&==&NULL&||&
(&ldap_url-&lud_attrs[1]&!=&NULL&||&(&!&strlen(ldap_url-&lud_attrs[0])&||&
!&strcmp(ldap_url-&lud_attrs[0],&*&)&)&)&){
radlog&(L_ERR,&&rlm_ldap:&Invalid&Attribute(s)&request.n&);
ldap_free_urldesc(ldap_url);
if&(ldap_url-&lud_host){
if&(strncmp(inst-&server,ldap_url-&lud_host,strlen(inst-&server))&!=&0&||&
ldap_url-&lud_port&!=&inst-&port){
DEBUG(&rlm_ldap:&Requested&server/port&is¬&known&to&this&module&instance.&);
ldap_free_urldesc(ldap_url);
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
ldap_free_urldesc(ldap_url);
if&((res&=&perform_search(inst,&conn,&ldap_url-&lud_dn,&ldap_url-&lud_scope,&ldap_url-&lud_filter,&ldap_url-&lud_attrs,&&result))&!=&RLM_MODULE_OK){
if&(res&==&RLM_MODULE_NOTFOUND){
DEBUG(&rlm_ldap:&Search&returned¬&found&);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&Search&returned&error&);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL){
DEBUG(&rlm_ldap:&ldap_first_entry()&failed&);
ldap_msgfree(result);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
if&((vals&=&ldap_get_values(conn-&ld,&msg,&ldap_url-&lud_attrs[0]))&!=&NULL)&{
ret&=&strlen(vals[0]);
if&(ret&&&freespace){
DEBUG(&rlm_ldap:&Insufficient&string&space&);
ldap_free_urldesc(ldap_url);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&Adding&attribute&%s,&value:&%s&,ldap_url-&lud_attrs[0],vals[0]);
strncpy(out,vals[0],ret);
ldap_value_free(vals);
ldap_msgfree(result);
ldap_free_urldesc(ldap_url);
ldap_release_conn(conn_id,inst-&conns);
DEBUG(&rlm_ldap:&-&ldap_xlat&end&);
/******************************************************************************
&*&&&&&&Function:&rlm_ldap_authorize
&*&&&&&&Purpose:&Check&if&user&is&authorized&for&remote&access
&******************************************************************************/
static&int&
ldap_authorize(void&*instance,&REQUEST&*&request)
LDAPMessage *result&=&NULL;
LDAPMessage *msg&=&NULL;
LDAPMessage *def_msg&=&NULL;
LDAPMessage *def_attr_msg&=&NULL;
LDAPMessage *def_result&=&NULL;
LDAPMessage *def_attr_result&=&NULL;
ldap_instance *inst&=&
*user_dn&=&NULL;
filter[MAX_FILTER_STR_LEN];
basedn[MAX_FILTER_STR_LEN];
VALUE_PAIR *check_
VALUE_PAIR *reply_
VALUE_PAIR **check_pairs,&**reply_
VALUE_PAIR&&&&&&*module_fmsg_
VALUE_PAIR *user_
char&&&&&&&&&&&&module_fmsg[MAX_STRING_LEN];
LDAP_CONN *
conn_id&=&-1;
DEBUG(&rlm_ldap:&-&authorize&);
if&(!request-&username){
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Name&&is&required&for&authentication.n&);
return&RLM_MODULE_INVALID;
check_pairs&=&&request-&config_
reply_pairs&=&&request-&reply-&
&*&Check&for&valid&input,&zero&length&names¬&permitted
if&(request-&username-&strvalue&==&0)&{
radlog(L_ERR,&&rlm_ldap:&zero&length&username¬&permittedn&);
return&RLM_MODULE_INVALID;
DEBUG(&rlm_ldap:&performing&user&authorization&for&%s&,
&&&&&&&request-&username-&strvalue);
if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
&request,&ldap_escape_func))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&filter.n&);
return&RLM_MODULE_INVALID;
if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,
&request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&basedn.n&);
return&RLM_MODULE_INVALID;
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
return&RLM_MODULE_FAIL;
if&((res&=&perform_search(instance,&conn,&basedn,&LDAP_SCOPE_SUBTREE,&filter,&inst-&atts,&&result))&!=&RLM_MODULE_OK)&{
DEBUG(&rlm_ldap:&search&failed&);
if&(res&==&RLM_MODULE_NOTFOUND){
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&User¬&found&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_release_conn(conn_id,inst-&conns);
return&(res);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_first_entry()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_get_dn()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
&*&Adding&new&attribute&containing&DN&for&LDAP&object&associated&with
&*&given&username
pairadd(&request-&packet-&vps,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
ldap_memfree(user_dn);
/*&Remote&access&is&controled&by&attribute&of&the&user&object&*/
if&(inst-&access_attr)&{
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&access_attr))&!=&NULL)&{
if&(inst-&default_allow){
DEBUG(&rlm_ldap:&checking&if&remote&access&for&%s&is&allowed&by&%s&,&request-&username-&strvalue,&inst-&access_attr);
if&(!strncmp(vals[0],&&FALSE&,&5))&{
DEBUG(&rlm_ldap:&dialup&access&disabled&);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_value_free(vals);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
ldap_value_free(vals);
DEBUG(&rlm_ldap:&%s&attribute&exists&-&access&denied&by&default&,&inst-&access_attr);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_value_free(vals);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
if&(inst-&default_allow){
DEBUG(&rlm_ldap:&no&%s&attribute&-&access&denied&by&default&,&inst-&access_attr);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Access&Attribute&denies&access&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_USERLOCK;
&*&Check&for&the&default&profile&entry.&If&it&exists&then&add&the&
&*&attributes&it&contains&in&the&check&and&reply&pairs
user_profile&=&pairfind(request-&config_items,&PW_USER_PROFILE);
if&(inst-&default_profile&||&user_profile){
char&*profile&=&inst-&default_
strNcpy(filter,&(objectclass=radiusprofile)&,sizeof(filter));
if&(user_profile)
profile&=&user_profile-&
if&(profile&&&&strlen(profile)){
if&((res&=&perform_search(instance,&conn,
profile,&LDAP_SCOPE_BASE,&
filter,&inst-&atts,&&def_result))&==&RLM_MODULE_OK){
if&((def_msg&=&ldap_first_entry(conn-&ld,def_result))){
if&((check_tmp&=&ldap_pairget(conn-&ld,def_msg,inst-&check_item_map,check_pairs,1)))&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
if&((reply_tmp&=&ldap_pairget(conn-&ld,def_msg,inst-&reply_item_map,reply_pairs,0)))&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
ldap_msgfree(def_result);
DEBUG(&rlm_ldap:&default_profile/user-profile&search&failed&);
&*&Check&for&the&profile&attribute.&If&it&exists,&we&assume&that&it&
&*&contains&the&DN&of&an&entry&containg&a&profile&for&the&user.&That
&*&way&we&can&have&different&general&profiles&for&various&user&groups
&*&(students,faculty,staff&etc)
if&(inst-&profile_attr){
if&((vals&=&ldap_get_values(conn-&ld,&msg,&inst-&profile_attr))&!=&NULL)&{
unsigned&int&i=0;
strNcpy(filter,&(objectclass=radiusprofile)&,sizeof(filter));
while(vals[i]&!=&NULL&&&&strlen(vals[i])){
if&((res&=&perform_search(instance,&conn,
vals[i],&LDAP_SCOPE_BASE,&
filter,&inst-&atts,&&def_attr_result))&==&RLM_MODULE_OK){
if&((def_attr_msg&=&ldap_first_entry(conn-&ld,def_attr_result))){
if&((check_tmp&=&ldap_pairget(conn-&ld,def_attr_msg,inst-&check_item_map,check_pairs,1)))&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
if&((reply_tmp&=&ldap_pairget(conn-&ld,def_attr_msg,inst-&reply_item_map,reply_pairs,0)))&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
ldap_msgfree(def_attr_result);
DEBUG(&rlm_ldap:&profile_attribute&search&failed&);
ldap_value_free(vals);
if&(inst-&passwd_attr&&&&strlen(inst-&passwd_attr)){
VALUE_PAIR&*passwd_
if&((passwd_item&=&pairfind(request-&config_items,&PW_PASSWORD))&==&NULL){
char&**passwd_
char&*passwd_val&=&NULL;
int&passwd_
if&((passwd_vals&=&ldap_get_values(conn-&ld,msg,inst-&passwd_attr))&!=&NULL){
unsigned&int&i=0;
while(passwd_vals[i]&!=&NULL){
if&(strlen(passwd_vals[i])){
passwd_val&=&passwd_vals[i];
if&(inst-&passwd_hdr&&&&strlen(inst-&passwd_hdr)){
passwd_val&=&strstr(passwd_val,inst-&passwd_hdr);
if&(passwd_val&!=&NULL)
passwd_val&+=&strlen(inst-&passwd_hdr);
DEBUG(&rlm_ldap:&Password&header¬&found&in&password&%s&for&user&%s&,&passwd_vals[0],request-&username-&strvalue);
if&(passwd_val){
if&((passwd_item&=&paircreate(PW_PASSWORD,PW_TYPE_STRING))&==&NULL){
radlog(L_ERR|L_CONS,&&no&memory&);
ldap_value_free(passwd_vals);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
passwd_len&=&strlen(passwd_val);
strncpy(passwd_item-&strvalue,passwd_val,MAX_STRING_LEN&-&1);
passwd_item-&length&=&(passwd_len&&&(MAX_STRING_LEN&-&1))&?&(MAX_STRING_LEN&-&1)&:&passwd_
pairadd(&request-&config_items,passwd_item);
DEBUG(&rlm_ldap:&Added&password&%s&in&check&items&,passwd_item-&strvalue);
ldap_value_free(passwd_vals);
DEBUG(&rlm_ldap:&looking&for&check&items&in&directory...&);
if&((check_tmp&=&ldap_pairget(conn-&ld,&msg,&inst-&check_item_map,check_pairs,1))&!=&NULL)&{
/*pairadd(check_pairs,check_tmp);*/
pairxlatmove(request,&check_pairs,&&check_tmp);
pairfree(&check_tmp);
DEBUG(&rlm_ldap:&looking&for&reply&items&in&directory...&);
if&((reply_tmp&=&ldap_pairget(conn-&ld,&msg,&inst-&reply_item_map,reply_pairs,0))&!=&NULL)&{
/*pairadd(reply_pairs,reply_tmp);*/
pairxlatmove(request,&reply_pairs,&&reply_tmp);
pairfree(&reply_tmp);
&&&&&&&if&(inst-&do_comp&&&&paircmp(request,request-&packet-&vps,*check_pairs,reply_pairs)&!=&0){
DEBUG(&rlm_ldap:&Pairs&do¬&match.&Rejecting&user.&);
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Pairs&do¬&match&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_REJECT;
& &*&Module&should&default&to&LDAP&authentication&if&no&Auth-Type
&*&specified
if&(pairfind(*check_pairs,&PW_AUTHTYPE)&==&NULL)
pairadd(check_pairs,&pairmake(&Auth-Type&,&&LDAP&,&T_OP_EQ));
DEBUG(&rlm_ldap:&user&%s&authorized&to&use&remote&access&,
&&&&&&request-&username-&strvalue);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_OK;
/*****************************************************************************
&* Function:&rlm_ldap_authenticate
&* Purpose:&Check&the&user's&password&against&ldap&database
&*****************************************************************************/
static&int&
ldap_authenticate(void&*instance,&REQUEST&*&request)
LDAP&&&&&&&&&&&*ld_
LDAPMessage&&&&*result,&*
ldap_instance&&*inst&=&
char&&&&&&&&&&&*user_dn,&*attrs[]&=&{&uid&,&NULL};
filter[MAX_FILTER_STR_LEN];
basedn[MAX_FILTER_STR_LEN];
int&&&&&&&&&&&&&
VALUE_PAIR&&&&&*vp_user_
VALUE_PAIR&&&&&&*module_fmsg_
char&&&&&&&&&&&&module_fmsg[MAX_STRING_LEN];
LDAP_CONN *
conn_id&=&-1;
DEBUG(&rlm_ldap:&-&authenticate&);
&*&Ensure&that&we're&being&passed&a&plain-text&password,&and¬
&*&anything&else.
if&(!request-&username)&{
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Name&&is&required&for&authentication.n&);
return&RLM_MODULE_INVALID;
if&(!request-&password){
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Password&&is&required&for&authentication.&);
return&RLM_MODULE_INVALID;
if(request-&password-&attribute&!=&PW_PASSWORD)&{
radlog(L_AUTH,&&rlm_ldap:&Attribute&&User-Password&&is&required&for&authentication.&Cannot&use&&%s&.&,&request-&password-&name);
return&RLM_MODULE_INVALID;
if&(request-&password-&length&==&0)&{
radlog(L_ERR,&&rlm_ldap:&empty&password&supplied&);
return&RLM_MODULE_INVALID;
&*&Check&that&we&don't&have&any&failed&connections.&If&we&do&there's&no&real&need
&*&of&runing.&Also&give&it&another&chance&if&we&have&a&lot&of&failed&connections.
if&(inst-&failed_conns&&&MAX_FAILED_CONNS_END)
inst-&failed_conns&=&0;
if&(inst-&failed_conns&&&MAX_FAILED_CONNS_START){
inst-&failed_conns++;
return&RLM_MODULE_FAIL;
DEBUG(&rlm_ldap:&login&attempt&by&&%s&&with&password&&%s&&,&
&&&&&&&request-&username-&strvalue,&request-&password-&strvalue);
while((vp_user_dn&=&pairfind(request-&packet-&vps,&PW_LDAP_USERDN))&==&NULL)&{
if&(!radius_xlat(filter,&sizeof(filter),&inst-&filter,
request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&filter.n&);&
return&RLM_MODULE_INVALID;
if&(!radius_xlat(basedn,&sizeof(basedn),&inst-&basedn,
request,&NULL))&{
radlog&(L_ERR,&&rlm_ldap:&unable&to&create&basedn.n&);
return&RLM_MODULE_INVALID;
if&((conn_id&=&ldap_get_conn(inst-&conns,&conn,inst))&==&-1){
radlog(L_ERR,&&rlm_ldap:&All&ldap&connections&are&in&use&);
return&RLM_MODULE_FAIL;
if&((res&=&perform_search(instance,&conn,&basedn,&LDAP_SCOPE_SUBTREE,&filter,&attrs,&&result))&!=&RLM_MODULE_OK)&{
if&(res&==&RLM_MODULE_NOTFOUND){
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&User¬&found&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
ldap_release_conn(conn_id,inst-&conns);
return&(res);
if&((msg&=&ldap_first_entry(conn-&ld,&result))&==&NULL)&{
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
if&((user_dn&=&ldap_get_dn(conn-&ld,&msg))&==&NULL)&{
DEBUG(&rlm_ldap:&ldap_get_dn()&failed&);
ldap_msgfree(result);
ldap_release_conn(conn_id,inst-&conns);
return&RLM_MODULE_FAIL;
ldap_release_conn(conn_id,inst-&conns);
pairadd(&request-&packet-&vps,&pairmake(&Ldap-UserDn&,&user_dn,&T_OP_EQ));
ldap_memfree(user_dn);
ldap_msgfree(result);
user_dn&=&vp_user_dn-&
DEBUG(&rlm_ldap:&user&DN:&%s&,&user_dn);
ld_user&=&ldap_connect(instance,&user_dn,&request-&password-&strvalue,
&&&&&&&1,&&res);
if&(ld_user&==&NULL){
if&(res&==&RLM_MODULE_REJECT){
inst-&failed_conns&=&0;
snprintf(module_fmsg,sizeof(module_fmsg),&rlm_ldap:&Bind&as&user&failed&);
module_fmsg_vp&=&pairmake(&Module-Failure-Message&,&module_fmsg,&T_OP_EQ);
pairadd(&request-&packet-&vps,&module_fmsg_vp);
if&(res&==&RLM_MODULE_FAIL){
DEBUG(&rlm_ldap:&ldap_connect()&failed&);
inst-&failed_conns++;
return&(res);
DEBUG(&rlm_ldap:&user&%s&authenticated&succesfully&,
&&&&&&request-&username-&strvalue);
ldap_unbind_s(ld_user);
inst-&failed_conns&=&0;
return&RLM_MODULE_OK;
static&LDAP&&&&*
ldap_connect(void&*instance,&const&char&*dn,&const&char&*password,&int&auth,&int&*result)
ldap_instance&&*inst&=&
LDAP&&&&&&&&&&&*ld&=&NULL;
int&&&&&&&&&&&&&msgid,&rc,&ldap_
ldap_errno&=&0;
LDAPMessage&&&&*
if&(inst-&is_url){
#ifdef&HAVE_LDAP_INITIALIZE
DEBUG(&rlm_ldap:&(re)connect&to&%s,&authentication&%d&,&inst-&server,&auth);
if&(ldap_initialize(&ld,&inst-&server)&!=&LDAP_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&ldap_initialize()&failed&);
*result&=&RLM_MODULE_FAIL;
return&(NULL);
DEBUG(&rlm_ldap:&(re)connect&to&%s:%d,&authentication&%d&,&inst-&server,&inst-&port,&auth);
if&((ld&=&ldap_init(inst-&server,&inst-&port))&==&NULL)&{
radlog(L_ERR,&&rlm_ldap:&ldap_init()&failed&);
*result&=&RLM_MODULE_FAIL;
return&(NULL);
if&(ldap_set_option(ld,&LDAP_OPT_NETWORK_TIMEOUT,&(void&*)&&(inst-&net_timeout))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_NETWORK_TIMEOUT&%ld.%ld&,&inst-&net_timeout.tv_sec,&inst-&net_timeout.tv_usec);
if&(ldap_set_option(ld,&LDAP_OPT_TIMELIMIT,&(void&*)&&(inst-&timelimit))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_TIMELIMIT&%d&,&inst-&timelimit);
if&(inst-&ldap_debug&&&&ldap_set_option(NULL,&LDAP_OPT_DEBUG_LEVEL,&&(inst-&ldap_debug))&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP_OPT_DEBUG_LEVEL&%d&,&inst-&ldap_debug);
ldap_version&=&LDAP_VERSION3;
if&(ldap_set_option(ld,&LDAP_OPT_PROTOCOL_VERSION,&&ldap_version)&!=&LDAP_OPT_SUCCESS)&{
radlog(L_ERR,&&rlm_ldap:&Could¬&set&LDAP&version&to&V3&);
#ifdef&HAVE_LDAP_START_TLS
&&&&&&&&if(inst-&tls_mode)&{
DEBUG(&rlm_ldap:&setting&TLS&mode&to&%d&,&inst-&tls_mode);
&&&&&&&& if(ldap_set_option(ld,&LDAP_OPT_X_TLS,
&& &&&&&&&&&&&(void&*)&&(inst-&tls_mode))&!=&LDAP_OPT_SUCCESS)&{
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&could¬&set&LDAP_OPT_X_TLS&option&%s&,&ldap_err2string(ldap_errno));
if&(inst-&start_tls)&{
DEBUG(&rlm_ldap:&starting&TLS&);
rc&=&ldap_start_tls_s(ld,&NULL,&NULL);
if&(rc&!=&LDAP_SUCCESS)&{
DEBUG(&rlm_ldap:&ldap_start_tls_s()&);
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
radlog(L_ERR,&&rlm_ldap:&could¬&start&TLS&%s&,&ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
#endif&/*&HAVE_LDAP_START_TLS&*/
if&(inst-&is_url){
DEBUG(&rlm_ldap:&bind&as&%s/%s&to&%s&,&dn,&password,&inst-&server);
DEBUG(&rlm_ldap:&bind&as&%s/%s&to&%s:%d&,&dn,&password,&inst-&server,&inst-&port);
msgid&=&ldap_bind(ld,&dn,&password,LDAP_AUTH_SIMPLE);
if&(msgid&==&-1)&{
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
if&(inst-&is_url)
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s&failed:&%s&,
& dn,&inst-&server,&ldap_err2string(ldap_errno));
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s:%d&failed:&%s&,
& dn,&inst-&server,&inst-&port,
& ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
DEBUG(&rlm_ldap:&waiting&for&bind&result&...&);
rc&=&ldap_result(ld,&msgid,&1,&&(inst-&timeout),&&res);
if(rc&&&1)&{
DEBUG(&rlm_ldap:&ldap_result()&);
ldap_get_option(ld,&LDAP_OPT_ERROR_NUMBER,&&ldap_errno);
if&(inst-&is_url)
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s&failed:&%s&,
dn,&inst-&server,&(rc&==&0)&?&&timeout&&:&ldap_err2string(ldap_errno));
radlog(L_ERR,&&rlm_ldap:&%s&bind&to&%s:%d&failed:&%s&,
dn,&inst-&server,&inst-&port,
(rc&==&0)&?&&timeout&&:&ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
ldap_unbind_s(ld);
return&(NULL);
ldap_errno&=&ldap_result2error(ld,&res,&1);
switch&(ldap_errno)&{
case&LDAP_SUCCESS:
*result&=&RLM_MODULE_OK;
case&LDAP_INVALID_CREDENTIALS:
if&(auth)&
*result&=&RLM_MODULE_REJECT;
radlog(L_ERR,&&rlm_ldap:&LDAP&login&failed:&check&login,&password&settings&in&ldap§ion&of&radiusd.conf&);
*result&=&RLM_MODULE_FAIL;
if&(inst-&is_url)
radlog(L_ERR,&rlm_ldap:&%s&bind&to&%s&failed&%s&,
dn,&inst-&server,&ldap_err2string(ldap_errno));
radlog(L_ERR,&rlm_ldap:&%s&bind&to&%s:%d&failed&%s&,
dn,&inst-&server,&inst-&port,
ldap_err2string(ldap_errno));
*result&=&RLM_MODULE_FAIL;
if&(*result&!=&RLM_MODULE_OK)&{
ldap_unbind_s(ld);
ld&=&NULL;
/*****************************************************************************
&* Detach&from&the&LDAP&server&and&cleanup&internal&state.
&*****************************************************************************/
static&int&
ldap_detach(void&*instance)
ldap_instance&&*inst&=&
TLDAP_RADIUS&*pair,&*
if&(inst-&server)
free((char&*)&inst-&server);
if&(inst-&login)
free((char&*)&inst-&login);
if&(inst-&password)
free((char&*)&inst-&password);
if&(inst-&basedn)
free((char&*)&inst-&basedn);
if&(inst-&dictionary_mapping)
free(inst-&dictionary_mapping);
if&(inst-&filter)
free((char&*)&inst-&filter);
if&(inst-&passwd_hdr)
free((char&*)&inst-&passwd_hdr);
if&(inst-&passwd_attr)
free((char&*)&inst-&passwd_attr);
if&(inst-&groupname_attr)
free((char&*)&inst-&groupname_attr);
if&(inst-&groupmemb_filt)
free((char&*)&inst-&groupmemb_filt);
if&(inst-&groupmemb_attr)
free((char&*)&inst-&groupmemb_attr);
if&(inst-&access_attr)
free((char&*)&inst-&access_attr);
if&(inst-&profile_attr)
free((char&*)&inst-&profile_attr);
if&(inst-&conns){
for(;i&inst-&num_i++){
if&(inst-&conns[i].ld){
ldap_unbind_s(inst-&conns[i].ld);
pthread_mutex_destroy(&inst-&conns[i].mutex);
free(inst-&conns);
pair&=&inst-&check_item_
while&(pair&!=&NULL)&{
nextpair&=&pair-&
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
pair&=&inst-&reply_item_
while&(pair&!=&NULL)&{
nextpair&=&pair-&
free(pair-&attr);
free(pair-&radius_attr);
free(pair);
if&(inst-&atts)
free(inst-&atts);
paircompare_unregister(PW_LDAP_GROUP,&ldap_groupcmp);
xlat_unregister(inst-&xlat_name,ldap_xlat);
free(inst-&xlat_name);
free(inst);
#ifdef&FIELDCPY
static&void&
fieldcpy(char&*string,&char&**uptr)
char&&&&&&&&&&&*
while&(*ptr&==&'&'&||&*ptr&==&'t')&{
if&(*ptr&==&'&')&{
while&(*ptr&!=&'&'&&&&*ptr&!=&'�'&&&&*ptr&!=&'n')&{
*string++&=&*ptr++;
*string&=&'�';
if&(*ptr&==&'&')&{
while&(*ptr&!=&'&'&&&&*ptr&!=&'t'&&&&*ptr&!=&'�'&&&&*ptr&!=&'n'&&&
&&&&&&&*ptr&!=&'='&&&&*ptr&!=&',')&{
*string++&=&*ptr++;
*string&=&'�';
/*****************************************************************************
&* Get&RADIUS&attributes&from&LDAP&object
&* (&according&to&draft-adoba-radius-05.txt
&* &&&http://www.ietf.org/internet-drafts/draft-adoba-radius-05.txt&&)
&*****************************************************************************/
static&VALUE_PAIR&*
ldap_pairget(LDAP&*&ld,&LDAPMessage&*&entry,
&&&&&TLDAP_RADIUS&*&item_map,&VALUE_PAIR&**pairs,char&is_check)
char&&&&&&&&&&**
int&&&&&&&&&&&&&vals_
int&&&&&&&&&&&&&vals_
char&&&&&&&&&&&*
TLDAP_RADIUS&&&*
LRAD_TOKEN&&&&&&
int&&&&&&&&&&&&&is_generic_
char&&&&&&&&&&&&value[256];
VALUE_PAIR&&&&&*pairlist&=&NULL;
VALUE_PAIR&&&&&*newpair&=&NULL;
/*&check&if&there&is&a&mapping&from&this&LDAP&attribute&to&a&RADIUS&attribute&*/
for&(element&=&item_&element&!=&NULL;&element&=&element-&next)&{
if&((vals&=&ldap_get_values(ld,entry,element-&attr))&!=&NULL){
/*&check&whether&this&is&a&one-to-one-mapped&ldap&attribute&or&a&generic
&&&attribute&and&set&flag&accordingly&*/
if&(strcasecmp(element-&radius_attr,&GENERIC_ATTRIBUTE_ID)==0)
is_generic_attribute&=&1;
is_generic_attribute&=&0;
/*&find&out&how&many&values&there&are&for&the&attribute&and&extract&all&of&them&*/
vals_count&=&ldap_count_values(vals);
for&(vals_idx&=&0;&vals_idx&&&vals_&vals_idx++)&{
ptr&=&vals[vals_idx];
if&(is_generic_attribute)&{
/*&this&is&a&generic&attribute&*/
LRAD_TOKEN&&/*&makes&pairread&happy&*/
/*¬&sure&if&using&pairread&here&is&ok&...&*/
if&(&(newpair&=&pairread(&ptr,&&dummy))&!=&NULL)&{
DEBUG(&rlm_ldap:&extracted&attribute&%s&from&generic&item&%s&,&
&&&&&&newpair-&name,&vals[vals_idx]);
pairadd(&pairlist,&newpair);
radlog(L_ERR,&&rlm_ldap:&parsing&%s&failed:&%s&,&
&&&&&&&element-&attr,&vals[vals_idx]);
/*&this&is&a&one-to-one-mapped&attribute&*/
token&=&gettoken(&ptr,&value,&sizeof(value)&-&1);
if&(token&&&T_EQSTART&||&token&&&T_EQEND)&{
token&=&(is_check)&?&T_OP_CMP_EQ&:&T_OP_EQ;
gettoken(&ptr,&value,&sizeof(value)&-&1);
if&(value[0]&==&0)&{
DEBUG(&rlm_ldap:&Attribute&%s&has&no&value&,&element-&attr);
DEBUG(&rlm_ldap:&Adding&%s&as&%s,&value&%s&&&op=%d&,&element-&attr,&element-&radius_attr,&value,&token);
if&((newpair&=&pairmake(element-&radius_attr,&value,&token))&==&NULL)
if&(!&vals_idx){
pairdelete(pairs,newpair-&attribute);
pairadd(&pairlist,&newpair);
ldap_value_free(vals);
return&(pairlist);
/*&globally&exported&name&*/
module_t&&&&&&&&rlm_ldap&=&{
RLM_TYPE_THREAD_SAFE, /*&type:&reserved& &*/
/*&initialization& &*/
ldap_instantiate, /*&instantiation& &*/
ldap_authenticate, /*&authentication& &*/
ldap_authorize,
/*&authorization& &*/
/*&preaccounting& &*/
/*&accounting&
/*&checksimul&
/*&pre-proxy&
/*&post-proxy&
/*&post-auth&
ldap_detach,
/*&detach&
/*&destroy&
CopyRight &
verySource.Com All Rights reserved. 京公网安备:88}
我要回帖
更多关于 安卓手游脚本辅助制作 的文章
- ·剑网3安卓手游脚本辅助制作有辅助或者脚本吗?
- ·QQ飞车大话西游手游脚本辅助免root辅助脚本如何下载的?
- ·请问QQ华夏安卓手游脚本辅助制作辅‏助脚‏本挂‏机在哪儿?了‏解过么?
- ·恋与制作人手游这样一个手游要多少钱
- ·呆呆打僵尸龙之谷手游坐骑呆呆鹿辅助脚本在哪儿找?知道吗?
- ·有留意过桃源乡安卓手游脚本辅助制作辅助脚本没?
- ·部落与弯刀梦幻西游手游70级弯刀辅助脚本在哪能下载到?
- ·君临之境安卓手游脚本辅助制作辅助脚本怎么下载的?
- ·剑与火之旅天龙八部手游辅助脚本本究竟行不行?听听各位的建议。
- ·有关注过天天驯兽师天龙八部手游辅助脚本本的没?
- ·战争工厂梦幻西游手游辅助脚本本哪儿找?做过了解吗?
- ·以妖怪之名问道手游辅助脚本本是在哪儿找到的?
- ·轮回绝大话西游手游脚本辅助辅助脚本了解过吗?
- ·请问轮回诀手游电脑版辅助绝手游辅助脚本如何找?哪儿有?
- ·以妖怪之名大话西游手游脚本辅助辅助脚本是在哪儿找到的?
- ·狩游世界手游辅助脚本平台如何下载?有清楚的吗?
- ·请问普通不过的世界剑侠情缘2手游官网正版辅助脚本在哪儿找?
- ·远征剑侠情缘2手游官网正版辅助脚本在哪儿找?
- ·反斗海战手游辅助脚本平台可以用吗?希望大家能帮忙介绍。
- ·我的起源梦幻西游手游脚本辅助辅助脚本了解过多少?
- ·安卓手游脚本辅助制作9.0手游辅助脚本有谁使用过?了解过吗?
更多推荐
- ·Redmi红米k70pro能开多少帧部分游戏不支持插帧吗?
- ·草蛉卵怎么处理的特点 草蛉卵怎么处理百度百科
- ·DNPDL7A00DYG这个苹果手机D开头的序列号是什么版本的苹果12是国行的吗?
- ·xeva怎么创建虚拟男友的APP里面的克隆人会主动发消息给你吗?
- ·陕西西安市红色教育基地一览表文化有哪些
- ·学2017全国传统武术比赛的孩子不参加比赛,看看孩子都错过了哪些
- ·吃鸡游戏突然没声音了每过几秒就会突然卡一秒,有时she甚至会直接游戏崩溃
- ·全民共进提现安全吗养猪出最新版了,可以提现?
- ·苍穹战线手游官网辅助脚本挂机在哪儿?知道吗?
- ·王者荣耀貂蝉和诸葛亮:貂蝉与诸葛亮谁是最强法师
- ·A3满开剧团问道手游挂机辅助软件辅助脚本挂机在哪儿能下载?
- ·s8排位赛什么时候开始刚开始玩,为什么对方那么弱,六分钟杀
- ·669坑人游戏>小学生歇后语大全全
- ·药师佛手拿塔药剂师是什么意思思
- ·崩坏3舰团人气怎么得2升3级人气资金各是多少
- ·有没有跟我一样的困惑,天梭力洛克表冠冠经常拉出
- ·苍之纪元什么时候公测手游辅助脚本挂机好找吗?去哪儿找?
- ·英雄战飘流幻境手游辅助助脚本挂机谁在用?在哪儿可以找到的?
- ·求教,鱼怪物猎人世界钓鱼竿钓竿好不好,评价
- ·英雄杀怎么卡过关斩将将积分怎么算的
- ·请问QQ华夏安卓手游脚本辅助制作辅‏助脚‏本挂‏机在哪儿?了‏解过么?
- ·剑之初的秘藏猎人受害者玩法怎么玩?,如获得宝藏点数
- ·ps4 pro现在多少钱ps4一台多少钱
- ·群雄霸三国是slg实时争霸 国战 领主类小说游戏吗?
- ·A3大话手游北俱挂机辅助辅助脚本挂机在哪能下载到?
- ·为什么cf手游新年广场bug里新年
- ·仙域探险王称号纪玄天神将称号战力有多少?
- ·qq炫舞手游名字怎么改名字 改名卡多少钱怎么得
- ·至尊天剑龙之谷特殊技能纹章有什么特殊用处?
- ·至尊风云楚楚芙蓉仙子技能的技能能哪些?
- ·用游戏加加,加载了一下绝地求生加载不进游戏,那东西会不会把我steam号盗了?那软件正规吗
- ·急需要桃源乡大话西游手游挂机辅助辅助脚本挂机,在哪儿找好?下载麻烦吗
- ·广州哪里有信誉好的ps4港版哪里买片片ps4买
- ·制造金装口袋妖怪复刻合金爆裂获得了吗
- ·王者荣耀后期最强射手里面最强射手是谁图片
- ·4g内存可以玩gta5吗吗
