1/* lastbind.c - Record timestamp of the last successful bind to entries */
2/* $OpenLDAP$ */
3/*
4 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15/* ACKNOWLEDGEMENTS:
16 * This work is loosely derived from the ppolicy overlay.
17 */
18
19#include "portable.h"
20
21/*
22 * This file implements an overlay that stores the timestamp of the
23 * last successful bind operation in a directory entry.
24 *
25 * Optimization: to avoid performing a write on each bind,
26 * a precision for this timestamp may be configured, causing it to
27 * only be updated if it is older than a given number of seconds.
28 */
29
30#ifdef SLAPD_OVER_LASTBIND
31
32#include <ldap.h>
33#include "lutil.h"
34#include "slap.h"
35#include <ac/errno.h>
36#include <ac/time.h>
37#include <ac/string.h>
38#include <ac/ctype.h>
39#include "config.h"
40
41/* Per-instance configuration information */
42typedef struct lastbind_info {
43	/* precision to update timestamp in authTimestamp attribute */
44	int timestamp_precision;
45} lastbind_info;
46
47/* Operational attributes */
48static AttributeDescription *ad_authTimestamp;
49
50/* This is the definition used by ISODE, as supplied to us in
51 * ITS#6238 Followup #9
52 */
53static struct schema_info {
54	char *def;
55	AttributeDescription **ad;
56} lastBind_OpSchema[] = {
57	{	"( 1.3.6.1.4.1.453.16.2.188 "
58		"NAME 'authTimestamp' "
59		"DESC 'last successful authentication using any method/mech' "
60		"EQUALITY generalizedTimeMatch "
61		"ORDERING generalizedTimeOrderingMatch "
62		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
63		"SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
64		&ad_authTimestamp},
65	{ NULL, NULL }
66};
67
68/* configuration attribute and objectclass */
69static ConfigTable lastbindcfg[] = {
70	{ "lastbind-precision", "seconds", 2, 2, 0,
71	  ARG_INT|ARG_OFFSET,
72	  (void *)offsetof(lastbind_info, timestamp_precision),
73	  "( OLcfgAt:5.1 "
74	  "NAME 'olcLastBindPrecision' "
75	  "DESC 'Precision of authTimestamp attribute' "
76	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
77	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
78};
79
80static ConfigOCs lastbindocs[] = {
81	{ "( OLcfgOc:5.1 "
82	  "NAME 'olcLastBindConfig' "
83	  "DESC 'Last Bind configuration' "
84	  "SUP olcOverlayConfig "
85	  "MAY ( olcLastBindPrecision ) )",
86	  Cft_Overlay, lastbindcfg, NULL, NULL },
87	{ NULL, 0, NULL }
88};
89
90static time_t
91parse_time( char *atm )
92{
93	struct lutil_tm tm;
94	struct lutil_timet tt;
95	time_t ret = (time_t)-1;
96
97	if ( lutil_parsetime( atm, &tm ) == 0) {
98		lutil_tm2time( &tm, &tt );
99		ret = tt.tt_sec;
100	}
101	return ret;
102}
103
104static int
105lastbind_bind_response( Operation *op, SlapReply *rs )
106{
107	Modifications *mod = NULL;
108	BackendInfo *bi = op->o_bd->bd_info;
109	Entry *e;
110	int rc;
111
112	/* we're only interested if the bind was successful */
113	if ( rs->sr_err != LDAP_SUCCESS )
114		return SLAP_CB_CONTINUE;
115
116	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
117	op->o_bd->bd_info = bi;
118
119	if ( rc != LDAP_SUCCESS ) {
120		return SLAP_CB_CONTINUE;
121	}
122
123	{
124		lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
125
126		time_t now, bindtime = (time_t)-1;
127		Attribute *a;
128		Modifications *m;
129		char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
130		struct berval timestamp;
131
132		/* get the current time */
133		now = slap_get_time();
134
135		/* get authTimestamp attribute, if it exists */
136		if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
137			bindtime = parse_time( a->a_nvals[0].bv_val );
138
139			if (bindtime != (time_t)-1) {
140				/* if the recorded bind time is within our precision, we're done
141				 * it doesn't need to be updated (save a write for nothing) */
142				if ((now - bindtime) < lbi->timestamp_precision) {
143					goto done;
144				}
145			}
146		}
147
148		/* update the authTimestamp in the user's entry with the current time */
149		timestamp.bv_val = nowstr;
150		timestamp.bv_len = sizeof(nowstr);
151		slap_timestamp( &now, &timestamp );
152
153		m = ch_calloc( sizeof(Modifications), 1 );
154		m->sml_op = LDAP_MOD_REPLACE;
155		m->sml_flags = 0;
156		m->sml_type = ad_authTimestamp->ad_cname;
157		m->sml_desc = ad_authTimestamp;
158		m->sml_numvals = 1;
159		m->sml_values = ch_calloc( sizeof(struct berval), 2 );
160		m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
161
162		ber_dupbv( &m->sml_values[0], &timestamp );
163		ber_dupbv( &m->sml_nvalues[0], &timestamp );
164		m->sml_next = mod;
165		mod = m;
166	}
167
168done:
169	be_entry_release_r( op, e );
170
171	/* perform the update, if necessary */
172	if ( mod ) {
173		Operation op2 = *op;
174		SlapReply r2 = { REP_RESULT };
175		slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
176
177		/* This is a DSA-specific opattr, it never gets replicated. */
178		op2.o_tag = LDAP_REQ_MODIFY;
179		op2.o_callback = &cb;
180		op2.orm_modlist = mod;
181		op2.o_dn = op->o_bd->be_rootdn;
182		op2.o_ndn = op->o_bd->be_rootndn;
183		op2.o_dont_replicate = 1;
184		rc = op->o_bd->be_modify( &op2, &r2 );
185		slap_mods_free( mod, 1 );
186	}
187
188	op->o_bd->bd_info = bi;
189	return SLAP_CB_CONTINUE;
190}
191
192static int
193lastbind_bind( Operation *op, SlapReply *rs )
194{
195	slap_callback *cb;
196	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
197
198	/* setup a callback to intercept result of this bind operation
199	 * and pass along the lastbind_info struct */
200	cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
201	cb->sc_response = lastbind_bind_response;
202	cb->sc_next = op->o_callback->sc_next;
203	cb->sc_private = on->on_bi.bi_private;
204	op->o_callback->sc_next = cb;
205
206	return SLAP_CB_CONTINUE;
207}
208
209static int
210lastbind_db_init(
211	BackendDB *be,
212	ConfigReply *cr
213)
214{
215	slap_overinst *on = (slap_overinst *) be->bd_info;
216
217	/* initialize private structure to store configuration */
218	on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
219
220	return 0;
221}
222
223static int
224lastbind_db_close(
225	BackendDB *be,
226	ConfigReply *cr
227)
228{
229	slap_overinst *on = (slap_overinst *) be->bd_info;
230	lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
231
232	/* free private structure to store configuration */
233	free( lbi );
234
235	return 0;
236}
237
238static slap_overinst lastbind;
239
240int lastbind_initialize()
241{
242	int i, code;
243
244	/* register operational schema for this overlay (authTimestamp attribute) */
245	for (i=0; lastBind_OpSchema[i].def; i++) {
246		code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
247		if ( code ) {
248			Debug( LDAP_DEBUG_ANY,
249				"lastbind_initialize: register_at failed\n", 0, 0, 0 );
250			return code;
251		}
252	}
253
254	ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
255
256	lastbind.on_bi.bi_type = "lastbind";
257	lastbind.on_bi.bi_db_init = lastbind_db_init;
258	lastbind.on_bi.bi_db_close = lastbind_db_close;
259	lastbind.on_bi.bi_op_bind = lastbind_bind;
260
261	/* register configuration directives */
262	lastbind.on_bi.bi_cf_ocs = lastbindocs;
263	code = config_register_schema( lastbindcfg, lastbindocs );
264	if ( code ) return code;
265
266	return overlay_register( &lastbind );
267}
268
269#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
270int init_module(int argc, char *argv[]) {
271	return lastbind_initialize();
272}
273#endif
274
275#endif	/* defined(SLAPD_OVER_LASTBIND) */
276