1/* lastbind.c - Record timestamp of the last successful bind to entries */ 2/* $OpenLDAP$ */ 3/* 4 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted only as authorized by the OpenLDAP 9 * Public License. 10 * 11 * A copy of this license is available in the file LICENSE in the 12 * top-level directory of the distribution or, alternatively, at 13 * <http://www.OpenLDAP.org/license.html>. 14 */ 15/* ACKNOWLEDGEMENTS: 16 * This work is loosely derived from the ppolicy overlay. 17 */ 18 19#include "portable.h" 20 21/* 22 * This file implements an overlay that stores the timestamp of the 23 * last successful bind operation in a directory entry. 24 * 25 * Optimization: to avoid performing a write on each bind, 26 * a precision for this timestamp may be configured, causing it to 27 * only be updated if it is older than a given number of seconds. 28 */ 29 30#ifdef SLAPD_OVER_LASTBIND 31 32#include <ldap.h> 33#include "lutil.h" 34#include "slap.h" 35#include <ac/errno.h> 36#include <ac/time.h> 37#include <ac/string.h> 38#include <ac/ctype.h> 39#include "config.h" 40 41/* Per-instance configuration information */ 42typedef struct lastbind_info { 43 /* precision to update timestamp in authTimestamp attribute */ 44 int timestamp_precision; 45} lastbind_info; 46 47/* Operational attributes */ 48static AttributeDescription *ad_authTimestamp; 49 50/* This is the definition used by ISODE, as supplied to us in 51 * ITS#6238 Followup #9 52 */ 53static struct schema_info { 54 char *def; 55 AttributeDescription **ad; 56} lastBind_OpSchema[] = { 57 { "( 1.3.6.1.4.1.453.16.2.188 " 58 "NAME 'authTimestamp' " 59 "DESC 'last successful authentication using any method/mech' " 60 "EQUALITY generalizedTimeMatch " 61 "ORDERING generalizedTimeOrderingMatch " 62 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " 63 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )", 64 &ad_authTimestamp}, 65 { NULL, NULL } 66}; 67 68/* configuration attribute and objectclass */ 69static ConfigTable lastbindcfg[] = { 70 { "lastbind-precision", "seconds", 2, 2, 0, 71 ARG_INT|ARG_OFFSET, 72 (void *)offsetof(lastbind_info, timestamp_precision), 73 "( OLcfgAt:5.1 " 74 "NAME 'olcLastBindPrecision' " 75 "DESC 'Precision of authTimestamp attribute' " 76 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, 77 { NULL, NULL, 0, 0, 0, ARG_IGNORED } 78}; 79 80static ConfigOCs lastbindocs[] = { 81 { "( OLcfgOc:5.1 " 82 "NAME 'olcLastBindConfig' " 83 "DESC 'Last Bind configuration' " 84 "SUP olcOverlayConfig " 85 "MAY ( olcLastBindPrecision ) )", 86 Cft_Overlay, lastbindcfg, NULL, NULL }, 87 { NULL, 0, NULL } 88}; 89 90static time_t 91parse_time( char *atm ) 92{ 93 struct lutil_tm tm; 94 struct lutil_timet tt; 95 time_t ret = (time_t)-1; 96 97 if ( lutil_parsetime( atm, &tm ) == 0) { 98 lutil_tm2time( &tm, &tt ); 99 ret = tt.tt_sec; 100 } 101 return ret; 102} 103 104static int 105lastbind_bind_response( Operation *op, SlapReply *rs ) 106{ 107 Modifications *mod = NULL; 108 BackendInfo *bi = op->o_bd->bd_info; 109 Entry *e; 110 int rc; 111 112 /* we're only interested if the bind was successful */ 113 if ( rs->sr_err != LDAP_SUCCESS ) 114 return SLAP_CB_CONTINUE; 115 116 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); 117 op->o_bd->bd_info = bi; 118 119 if ( rc != LDAP_SUCCESS ) { 120 return SLAP_CB_CONTINUE; 121 } 122 123 { 124 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; 125 126 time_t now, bindtime = (time_t)-1; 127 Attribute *a; 128 Modifications *m; 129 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ]; 130 struct berval timestamp; 131 132 /* get the current time */ 133 now = slap_get_time(); 134 135 /* get authTimestamp attribute, if it exists */ 136 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) { 137 bindtime = parse_time( a->a_nvals[0].bv_val ); 138 139 if (bindtime != (time_t)-1) { 140 /* if the recorded bind time is within our precision, we're done 141 * it doesn't need to be updated (save a write for nothing) */ 142 if ((now - bindtime) < lbi->timestamp_precision) { 143 goto done; 144 } 145 } 146 } 147 148 /* update the authTimestamp in the user's entry with the current time */ 149 timestamp.bv_val = nowstr; 150 timestamp.bv_len = sizeof(nowstr); 151 slap_timestamp( &now, ×tamp ); 152 153 m = ch_calloc( sizeof(Modifications), 1 ); 154 m->sml_op = LDAP_MOD_REPLACE; 155 m->sml_flags = 0; 156 m->sml_type = ad_authTimestamp->ad_cname; 157 m->sml_desc = ad_authTimestamp; 158 m->sml_numvals = 1; 159 m->sml_values = ch_calloc( sizeof(struct berval), 2 ); 160 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 ); 161 162 ber_dupbv( &m->sml_values[0], ×tamp ); 163 ber_dupbv( &m->sml_nvalues[0], ×tamp ); 164 m->sml_next = mod; 165 mod = m; 166 } 167 168done: 169 be_entry_release_r( op, e ); 170 171 /* perform the update, if necessary */ 172 if ( mod ) { 173 Operation op2 = *op; 174 SlapReply r2 = { REP_RESULT }; 175 slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; 176 177 /* This is a DSA-specific opattr, it never gets replicated. */ 178 op2.o_tag = LDAP_REQ_MODIFY; 179 op2.o_callback = &cb; 180 op2.orm_modlist = mod; 181 op2.o_dn = op->o_bd->be_rootdn; 182 op2.o_ndn = op->o_bd->be_rootndn; 183 op2.o_dont_replicate = 1; 184 rc = op->o_bd->be_modify( &op2, &r2 ); 185 slap_mods_free( mod, 1 ); 186 } 187 188 op->o_bd->bd_info = bi; 189 return SLAP_CB_CONTINUE; 190} 191 192static int 193lastbind_bind( Operation *op, SlapReply *rs ) 194{ 195 slap_callback *cb; 196 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; 197 198 /* setup a callback to intercept result of this bind operation 199 * and pass along the lastbind_info struct */ 200 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx ); 201 cb->sc_response = lastbind_bind_response; 202 cb->sc_next = op->o_callback->sc_next; 203 cb->sc_private = on->on_bi.bi_private; 204 op->o_callback->sc_next = cb; 205 206 return SLAP_CB_CONTINUE; 207} 208 209static int 210lastbind_db_init( 211 BackendDB *be, 212 ConfigReply *cr 213) 214{ 215 slap_overinst *on = (slap_overinst *) be->bd_info; 216 217 /* initialize private structure to store configuration */ 218 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) ); 219 220 return 0; 221} 222 223static int 224lastbind_db_close( 225 BackendDB *be, 226 ConfigReply *cr 227) 228{ 229 slap_overinst *on = (slap_overinst *) be->bd_info; 230 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private; 231 232 /* free private structure to store configuration */ 233 free( lbi ); 234 235 return 0; 236} 237 238static slap_overinst lastbind; 239 240int lastbind_initialize() 241{ 242 int i, code; 243 244 /* register operational schema for this overlay (authTimestamp attribute) */ 245 for (i=0; lastBind_OpSchema[i].def; i++) { 246 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 ); 247 if ( code ) { 248 Debug( LDAP_DEBUG_ANY, 249 "lastbind_initialize: register_at failed\n", 0, 0, 0 ); 250 return code; 251 } 252 } 253 254 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE; 255 256 lastbind.on_bi.bi_type = "lastbind"; 257 lastbind.on_bi.bi_db_init = lastbind_db_init; 258 lastbind.on_bi.bi_db_close = lastbind_db_close; 259 lastbind.on_bi.bi_op_bind = lastbind_bind; 260 261 /* register configuration directives */ 262 lastbind.on_bi.bi_cf_ocs = lastbindocs; 263 code = config_register_schema( lastbindcfg, lastbindocs ); 264 if ( code ) return code; 265 266 return overlay_register( &lastbind ); 267} 268 269#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC 270int init_module(int argc, char *argv[]) { 271 return lastbind_initialize(); 272} 273#endif 274 275#endif /* defined(SLAPD_OVER_LASTBIND) */ 276