1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/** 18 * @file util_ldap.h 19 * @brief Apache LDAP library 20 */ 21 22#ifndef UTIL_LDAP_H 23#define UTIL_LDAP_H 24 25/* APR header files */ 26#include "apr.h" 27#include "apr_thread_mutex.h" 28#include "apr_thread_rwlock.h" 29#include "apr_tables.h" 30#include "apr_time.h" 31#include "apr_version.h" 32#if APR_MAJOR_VERSION < 2 33/* The LDAP API is currently only present in APR 1.x */ 34#include "apr_ldap.h" 35#include "apr_ldap_rebind.h" 36#else 37#define APR_HAS_LDAP 0 38#endif 39 40#if APR_HAS_SHARED_MEMORY 41#include "apr_rmm.h" 42#include "apr_shm.h" 43#endif 44 45/* this whole thing disappears if LDAP is not enabled */ 46#if APR_HAS_LDAP 47 48#if defined(LDAP_UNAVAILABLE) || APR_HAS_MICROSOFT_LDAPSDK 49#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN \ 50 ||(s) == LDAP_UNAVAILABLE) 51#else 52#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN) 53#endif 54 55/* Apache header files */ 56#include "ap_config.h" 57#include "httpd.h" 58#include "http_config.h" 59#include "http_core.h" 60#include "http_log.h" 61#include "http_protocol.h" 62#include "http_request.h" 63#include "apr_optional.h" 64 65/* Create a set of LDAP_DECLARE macros with appropriate export 66 * and import tags for the platform 67 */ 68#if !defined(WIN32) 69#define LDAP_DECLARE(type) type 70#define LDAP_DECLARE_NONSTD(type) type 71#define LDAP_DECLARE_DATA 72#elif defined(LDAP_DECLARE_STATIC) 73#define LDAP_DECLARE(type) type __stdcall 74#define LDAP_DECLARE_NONSTD(type) type 75#define LDAP_DECLARE_DATA 76#elif defined(LDAP_DECLARE_EXPORT) 77#define LDAP_DECLARE(type) __declspec(dllexport) type __stdcall 78#define LDAP_DECLARE_NONSTD(type) __declspec(dllexport) type 79#define LDAP_DECLARE_DATA __declspec(dllexport) 80#else 81#define LDAP_DECLARE(type) __declspec(dllimport) type __stdcall 82#define LDAP_DECLARE_NONSTD(type) __declspec(dllimport) type 83#define LDAP_DECLARE_DATA __declspec(dllimport) 84#endif 85 86#if APR_HAS_MICROSOFT_LDAPSDK 87#define timeval l_timeval 88#endif 89 90#ifdef __cplusplus 91extern "C" { 92#endif 93 94/* 95 * LDAP Connections 96 */ 97 98/* Values that the deref member can have */ 99typedef enum { 100 never=LDAP_DEREF_NEVER, 101 searching=LDAP_DEREF_SEARCHING, 102 finding=LDAP_DEREF_FINDING, 103 always=LDAP_DEREF_ALWAYS 104} deref_options; 105 106/* Structure representing an LDAP connection */ 107typedef struct util_ldap_connection_t { 108 LDAP *ldap; 109 apr_pool_t *pool; /* Pool from which this connection is created */ 110#if APR_HAS_THREADS 111 apr_thread_mutex_t *lock; /* Lock to indicate this connection is in use */ 112#endif 113 114 const char *host; /* Name of the LDAP server (or space separated list) */ 115 int port; /* Port of the LDAP server */ 116 deref_options deref; /* how to handle alias dereferening */ 117 118 const char *binddn; /* DN to bind to server (can be NULL) */ 119 const char *bindpw; /* Password to bind to server (can be NULL) */ 120 121 int bound; /* Flag to indicate whether this connection is bound yet */ 122 123 int secure; /* SSL/TLS mode of the connection */ 124 apr_array_header_t *client_certs; /* Client certificates on this connection */ 125 126 const char *reason; /* Reason for an error failure */ 127 128 struct util_ldap_connection_t *next; 129 struct util_ldap_state_t *st; /* The LDAP vhost config this connection belongs to */ 130 int keep; /* Will this connection be kept when it's unlocked */ 131 132 int ChaseReferrals; /* [on|off] (default = AP_LDAP_CHASEREFERRALS_ON)*/ 133 int ReferralHopLimit; /* # of referral hops to follow (default = AP_LDAP_DEFAULT_HOPLIMIT) */ 134 apr_time_t freed; /* the time this conn was placed back in the pool */ 135 apr_pool_t *rebind_pool; /* frequently cleared pool for rebind data */ 136} util_ldap_connection_t; 137 138typedef struct util_ldap_config_t { 139 int ChaseReferrals; 140 int ReferralHopLimit; 141 apr_array_header_t *client_certs; /* Client certificates */ 142} util_ldap_config_t; 143 144/* LDAP cache state information */ 145typedef struct util_ldap_state_t { 146 apr_pool_t *pool; /* pool from which this state is allocated */ 147#if APR_HAS_THREADS 148 apr_thread_mutex_t *mutex; /* mutex lock for the connection list */ 149#endif 150 apr_global_mutex_t *util_ldap_cache_lock; 151 152 apr_size_t cache_bytes; /* Size (in bytes) of shared memory cache */ 153 char *cache_file; /* filename for shm */ 154 long search_cache_ttl; /* TTL for search cache */ 155 long search_cache_size; /* Size (in entries) of search cache */ 156 long compare_cache_ttl; /* TTL for compare cache */ 157 long compare_cache_size; /* Size (in entries) of compare cache */ 158 159 struct util_ldap_connection_t *connections; 160 apr_array_header_t *global_certs; /* Global CA certificates */ 161 int ssl_supported; 162 int secure; 163 int secure_set; 164 int verify_svr_cert; 165 166#if APR_HAS_SHARED_MEMORY 167 apr_shm_t *cache_shm; 168 apr_rmm_t *cache_rmm; 169#endif 170 171 /* cache ald */ 172 void *util_ldap_cache; 173 174 long connectionTimeout; 175 struct timeval *opTimeout; 176 177 int debug_level; /* SDK debug level */ 178 apr_interval_time_t connection_pool_ttl; 179 int retries; /* number of retries for failed bind/search/compare */ 180 apr_interval_time_t retry_delay; /* delay between retries of failed bind/search/compare */ 181} util_ldap_state_t; 182 183/* Used to store arrays of attribute labels/values. */ 184struct mod_auth_ldap_groupattr_entry_t { 185 char *name; 186}; 187 188/** 189 * Open a connection to an LDAP server 190 * @param ldc A structure containing the expanded details of the server 191 * to connect to. The handle to the LDAP connection is returned 192 * as ldc->ldap. 193 * @tip This function connects to the LDAP server and binds. It does not 194 * connect if already connected (ldc->ldap != NULL). Does not bind 195 * if already bound. 196 * @return If successful LDAP_SUCCESS is returned. 197 * @fn int util_ldap_connection_open(request_rec *r, 198 * util_ldap_connection_t *ldc) 199 */ 200APR_DECLARE_OPTIONAL_FN(int,uldap_connection_open,(request_rec *r, 201 util_ldap_connection_t *ldc)); 202 203/** 204 * Close a connection to an LDAP server 205 * @param ldc A structure containing the expanded details of the server 206 * that was connected. 207 * @tip This function unbinds from the LDAP server, and clears ldc->ldap. 208 * It is possible to rebind to this server again using the same ldc 209 * structure, using apr_ldap_open_connection(). 210 * @fn util_ldap_close_connection(util_ldap_connection_t *ldc) 211 */ 212APR_DECLARE_OPTIONAL_FN(void,uldap_connection_close,(util_ldap_connection_t *ldc)); 213 214/** 215 * Unbind a connection to an LDAP server 216 * @param ldc A structure containing the expanded details of the server 217 * that was connected. 218 * @tip This function unbinds the LDAP connection, and disconnects from 219 * the server. It is used during error conditions, to bring the LDAP 220 * connection back to a known state. 221 * @fn apr_status_t util_ldap_connection_unbind(util_ldap_connection_t *ldc) 222 */ 223APR_DECLARE_OPTIONAL_FN(apr_status_t,uldap_connection_unbind,(void *param)); 224 225/** 226 * Find a connection in a list of connections 227 * @param r The request record 228 * @param host The hostname to connect to (multiple hosts space separated) 229 * @param port The port to connect to 230 * @param binddn The DN to bind with 231 * @param bindpw The password to bind with 232 * @param deref The dereferencing behavior 233 * @param secure use SSL on the connection 234 * @tip Once a connection is found and returned, a lock will be acquired to 235 * lock that particular connection, so that another thread does not try and 236 * use this connection while it is busy. Once you are finished with a connection, 237 * apr_ldap_connection_close() must be called to release this connection. 238 * @fn util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, 239 * const char *binddn, const char *bindpw, deref_options deref, 240 * int netscapessl, int starttls) 241 */ 242APR_DECLARE_OPTIONAL_FN(util_ldap_connection_t *,uldap_connection_find,(request_rec *r, const char *host, int port, 243 const char *binddn, const char *bindpw, deref_options deref, 244 int secure)); 245 246/** 247 * Compare two DNs for sameness 248 * @param r The request record 249 * @param ldc The LDAP connection being used. 250 * @param url The URL of the LDAP connection - used for deciding which cache to use. 251 * @param dn The first DN to compare. 252 * @param reqdn The DN to compare the first DN to. 253 * @param compare_dn_on_server Flag to determine whether the DNs should be checked using 254 * LDAP calls or with a direct string comparision. A direct 255 * string comparison is faster, but not as accurate - false 256 * negative comparisons are possible. 257 * @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com" 258 * and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious 259 * performance issues. 260 * @fn int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, 261 * const char *url, const char *dn, const char *reqdn, 262 * int compare_dn_on_server) 263 */ 264APR_DECLARE_OPTIONAL_FN(int,uldap_cache_comparedn,(request_rec *r, util_ldap_connection_t *ldc, 265 const char *url, const char *dn, const char *reqdn, 266 int compare_dn_on_server)); 267 268/** 269 * A generic LDAP compare function 270 * @param r The request record 271 * @param ldc The LDAP connection being used. 272 * @param url The URL of the LDAP connection - used for deciding which cache to use. 273 * @param dn The DN of the object in which we do the compare. 274 * @param attrib The attribute within the object we are comparing for. 275 * @param value The value of the attribute we are trying to compare for. 276 * @tip Use this function to determine whether an attribute/value pair exists within an 277 * object. Typically this would be used to determine LDAP top-level group 278 * membership. 279 * @fn int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, 280 * const char *url, const char *dn, const char *attrib, const char *value) 281 */ 282APR_DECLARE_OPTIONAL_FN(int,uldap_cache_compare,(request_rec *r, util_ldap_connection_t *ldc, 283 const char *url, const char *dn, const char *attrib, const char *value)); 284 285/** 286 * An LDAP function that checks if the specified user is a member of a subgroup. 287 * @param r The request record 288 * @param ldc The LDAP connection being used. 289 * @param url The URL of the LDAP connection - used for deciding which cache to use. 290 * @param dn The DN of the object in which we find subgroups to search within. 291 * @param attrib The attribute within group objects that identify users. 292 * @param value The user attribute value we are trying to compare for. 293 * @param subgroupAttrs The attributes within group objects that identify subgroups. 294 * Array of strings. 295 * @param subgroupclasses The objectClass values used to identify groups (and 296 * subgroups). apr_array_header_t *. 297 * @param cur_subgroup_depth Current recursive depth during subgroup processing. 298 * @param max_subgroup_depth Maximum depth of recursion allowed during subgroup 299 * processing. 300 * @tip Use this function to determine whether an attribute/value pair exists within a 301 * starting group object or one of its nested subgroups. Typically this would be 302 * used to determine LDAP nested group membership. 303 * @deffunc int util_ldap_cache_check_subgroups(request_rec *r, util_ldap_connection_t 304 * *ldc, const char *url, const char *dn, 305 * const char *attrib, const char value, 306 * char **subgroupAttrs, apr_array_header_t 307 * *subgroupclasses, int cur_subgroup_depth, int 308 * max_subgroup_depth ) 309 */ 310APR_DECLARE_OPTIONAL_FN(int,uldap_cache_check_subgroups,(request_rec *r, util_ldap_connection_t *ldc, 311 const char *url, const char *dn, const char *attrib, const char *value, 312 char **subgroupAttrs, apr_array_header_t *subgroupclasses, 313 int cur_subgroup_depth, int max_subgroup_depth)); 314 315/** 316 * Checks a username/password combination by binding to the LDAP server 317 * @param r The request record 318 * @param ldc The LDAP connection being used. 319 * @param url The URL of the LDAP connection - used for deciding which cache to use. 320 * @param basedn The Base DN to search for the user in. 321 * @param scope LDAP scope of the search. 322 * @param attrs LDAP attributes to return in search. 323 * @param filter The user to search for in the form of an LDAP filter. This filter must return 324 * exactly one user for the check to be successful. 325 * @param bindpw The user password to bind as. 326 * @param binddn The DN of the user will be returned in this variable. 327 * @param retvals The values corresponding to the attributes requested in the attrs array. 328 * @tip The filter supplied will be searched for. If a single entry is returned, an attempt 329 * is made to bind as that user. If this bind succeeds, the user is not validated. 330 * @fn int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, 331 * char *url, const char *basedn, int scope, char **attrs, 332 * char *filter, char *bindpw, char **binddn, char ***retvals) 333 */ 334APR_DECLARE_OPTIONAL_FN(int,uldap_cache_checkuserid,(request_rec *r, util_ldap_connection_t *ldc, 335 const char *url, const char *basedn, int scope, char **attrs, 336 const char *filter, const char *bindpw, const char **binddn, const char ***retvals)); 337 338/** 339 * Searches for a specified user object in an LDAP directory 340 * @param r The request record 341 * @param ldc The LDAP connection being used. 342 * @param url The URL of the LDAP connection - used for deciding which cache to use. 343 * @param basedn The Base DN to search for the user in. 344 * @param scope LDAP scope of the search. 345 * @param attrs LDAP attributes to return in search. 346 * @param filter The user to search for in the form of an LDAP filter. This filter must return 347 * exactly one user for the check to be successful. 348 * @param binddn The DN of the user will be returned in this variable. 349 * @param retvals The values corresponding to the attributes requested in the attrs array. 350 * @tip The filter supplied will be searched for. If a single entry is returned, an attempt 351 * is made to bind as that user. If this bind succeeds, the user is not validated. 352 * @fn int util_ldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc, 353 * char *url, const char *basedn, int scope, char **attrs, 354 * char *filter, char **binddn, char ***retvals) 355 */ 356APR_DECLARE_OPTIONAL_FN(int,uldap_cache_getuserdn,(request_rec *r, util_ldap_connection_t *ldc, 357 const char *url, const char *basedn, int scope, char **attrs, 358 const char *filter, const char **binddn, const char ***retvals)); 359 360/** 361 * Checks if SSL support is available in mod_ldap 362 * @fn int util_ldap_ssl_supported(request_rec *r) 363 */ 364APR_DECLARE_OPTIONAL_FN(int,uldap_ssl_supported,(request_rec *r)); 365 366/* from apr_ldap_cache.c */ 367 368/** 369 * Init the LDAP cache 370 * @param pool The pool to use to initialise the cache 371 * @param reqsize The size of the shared memory segment to request. A size 372 * of zero requests the max size possible from 373 * apr_shmem_init() 374 * @fn void util_ldap_cache_init(apr_pool_t *p, util_ldap_state_t *st) 375 * @return The status code returned is the status code of the 376 * apr_smmem_init() call. Regardless of the status, the cache 377 * will be set up at least for in-process or in-thread operation. 378 */ 379apr_status_t util_ldap_cache_init(apr_pool_t *pool, util_ldap_state_t *st); 380 381/* from apr_ldap_cache_mgr.c */ 382 383/** 384 * Display formatted stats for cache 385 * @param The pool to allocate the returned string from 386 * @tip This function returns a string allocated from the provided pool that describes 387 * various stats about the cache. 388 * @fn char *util_ald_cache_display(apr_pool_t *pool, util_ldap_state_t *st) 389 */ 390char *util_ald_cache_display(request_rec *r, util_ldap_state_t *st); 391#ifdef __cplusplus 392} 393#endif 394#endif /* APR_HAS_LDAP */ 395#endif /* UTIL_LDAP_H */ 396