ldapd.h revision 1.17
1/* $OpenBSD: ldapd.h,v 1.17 2010/07/10 14:27:15 martinh Exp $ */ 2 3/* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#ifndef _LDAPD_H 20#define _LDAPD_H 21 22#include <sys/queue.h> 23#include <sys/socket.h> 24#include <sys/tree.h> 25#include <sys/types.h> 26#include <sys/uio.h> 27#include <sys/param.h> 28 29#include <event.h> 30#include <imsg.h> 31#include <limits.h> 32#include <pwd.h> 33#include <stdarg.h> 34 35#include "aldap.h" 36#include "schema.h" 37#include "btree.h" 38 39#define CONFFILE "/etc/ldapd.conf" 40#define LDAPD_USER "_ldapd" 41#define LDAPD_SOCKET "/var/run/ldapd.sock" 42#define DATADIR "/var/db/ldap" 43#define LDAP_PORT 389 44#define LDAPS_PORT 636 45#define LDAPD_SESSION_TIMEOUT 30 46#define MAX_LISTEN 64 47 48#define F_STARTTLS 0x01 49#define F_LDAPS 0x02 50#define F_SSL (F_LDAPS|F_STARTTLS) 51 52#define F_SECURE 0x04 53 54#define F_SCERT 0x01 55 56struct conn; 57 58struct aci { 59 SIMPLEQ_ENTRY(aci) entry; 60#define ACI_DENY 0 61#define ACI_ALLOW 1 62 int type; 63#define ACI_READ 0x01 64#define ACI_WRITE 0x02 65#define ACI_COMPARE 0x04 66#define ACI_CREATE 0x08 67#define ACI_BIND 0x10 68#define ACI_ALL 0x1F 69 int rights; 70 enum scope scope; /* base, onelevel or subtree */ 71 char *attribute; 72 char *target; 73 char *subject; 74 char *filter; 75}; 76SIMPLEQ_HEAD(acl, aci); 77 78/* An LDAP request. 79 */ 80struct request { 81 TAILQ_ENTRY(request) next; 82 unsigned long type; 83 long long msgid; 84 struct ber_element *root; 85 struct ber_element *op; 86 struct conn *conn; 87 int replayed; /* true if replayed request */ 88}; 89TAILQ_HEAD(request_queue, request); 90 91enum index_type { 92 INDEX_NONE, 93 INDEX_EQUAL = 1, 94 INDEX_APPROX = 1, 95 INDEX_SUBSTR, 96 INDEX_PRESENCE 97}; 98 99struct attr_index { 100 TAILQ_ENTRY(attr_index) next; 101 char *attr; 102 enum index_type type; 103}; 104TAILQ_HEAD(attr_index_list, attr_index); 105 106struct referral { 107 SLIST_ENTRY(referral) next; 108 char *url; 109}; 110SLIST_HEAD(referrals, referral); 111 112struct namespace { 113 TAILQ_ENTRY(namespace) next; 114 char *suffix; 115 struct referrals referrals; 116 char *rootdn; 117 char *rootpw; 118 char *data_path; 119 char *indx_path; 120 struct btree *data_db; 121 struct btree *indx_db; 122 struct btree_txn *data_txn; 123 struct btree_txn *indx_txn; 124 int sync; /* 1 = fsync after commit */ 125 struct attr_index_list indices; 126 unsigned int cache_size; 127 unsigned int index_cache_size; 128 struct request_queue request_queue; 129 struct event ev_queue; 130 unsigned int queued_requests; 131 struct acl acl; 132 int relax; /* relax schema validation */ 133 int compression_level; /* 0-9, 0 = disabled */ 134}; 135 136TAILQ_HEAD(namespace_list, namespace); 137 138struct index 139{ 140 TAILQ_ENTRY(index) next; 141 char *prefix; 142}; 143 144/* A query plan. 145 */ 146struct plan 147{ 148 TAILQ_ENTRY(plan) next; 149 TAILQ_HEAD(, plan) args; 150 TAILQ_HEAD(, index) indices; 151 int indexed; 152}; 153 154/* For OR filters using multiple indices, matches are not unique. Remember 155 * all DNs sent to the client to make them unique. 156 */ 157struct uniqdn { 158 RB_ENTRY(uniqdn) link; 159 struct btval key; 160}; 161RB_HEAD(dn_tree, uniqdn); 162RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 163 164/* An LDAP search request. 165 */ 166struct search { 167 TAILQ_ENTRY(search) next; 168 int init; /* 1 if cursor initiated */ 169 struct conn *conn; 170 struct request *req; 171 struct namespace *ns; 172 struct btree_txn *data_txn; 173 struct btree_txn *indx_txn; 174 struct cursor *cursor; 175 unsigned int nscanned, nmatched, ndups; 176 time_t started_at; 177 long long szlim, tmlim; /* size and time limits */ 178 int typesonly; /* not implemented */ 179 long long scope; 180 long long deref; /* not implemented */ 181 char *basedn; 182 struct ber_element *filter, *attrlist; 183 struct plan *plan; 184 struct index *cindx; /* current index */ 185 struct dn_tree uniqdns; 186}; 187 188struct listener { 189 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 190 struct sockaddr_storage ss; 191 int port; 192 int fd; 193 struct event ev; 194 char ssl_cert_name[PATH_MAX]; 195 struct ssl *ssl; 196 void *ssl_ctx; 197 TAILQ_ENTRY(listener) entry; 198}; 199TAILQ_HEAD(listenerlist, listener); 200 201/* An LDAP client connection. 202 */ 203struct conn 204{ 205 TAILQ_ENTRY(conn) next; 206 int fd; 207 struct bufferevent *bev; 208 struct ber ber; 209 int disconnect; 210 struct request *bind_req; /* ongoing bind request */ 211 char *binddn; 212 TAILQ_HEAD(, search) searches; 213 struct listener *listener; /* where it connected from */ 214 215 /* SSL support */ 216 struct event s_ev; 217 struct timeval s_tv; 218 struct listener *s_l; 219 void *s_ssl; 220 unsigned char *s_buf; 221 int s_buflen; 222 unsigned int s_flags; 223}; 224TAILQ_HEAD(conn_list, conn) conn_list; 225 226struct ssl { 227 SPLAY_ENTRY(ssl) ssl_nodes; 228 char ssl_name[PATH_MAX]; 229 char *ssl_cert; 230 off_t ssl_cert_len; 231 char *ssl_key; 232 off_t ssl_key_len; 233 uint8_t flags; 234}; 235 236struct ldapd_config 237{ 238 struct namespace_list namespaces; 239 struct listenerlist listeners; 240 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 241 struct referrals referrals; 242 struct acl acl; 243 struct schema *schema; 244 char *rootdn; 245 char *rootpw; 246}; 247 248struct ldapd_stats 249{ 250 time_t started_at; /* time of daemon startup */ 251 unsigned long long requests; /* total number of requests */ 252 unsigned long long req_search; /* search requests */ 253 unsigned long long req_bind; /* bind requests */ 254 unsigned long long req_mod; /* add/mod/del requests */ 255 unsigned long long timeouts; /* search timeouts */ 256 unsigned long long unindexed; /* unindexed searches */ 257 unsigned int conns; /* active connections */ 258 unsigned int searches; /* active searches */ 259}; 260 261struct auth_req 262{ 263 int fd; 264 long long msgid; 265 char name[128]; 266 char password[128]; 267}; 268 269struct auth_res 270{ 271 int ok; 272 int fd; 273 long long msgid; 274}; 275 276struct open_req { 277 char path[MAXPATHLEN+1]; 278 unsigned int rdonly; 279}; 280 281enum imsg_type { 282 IMSG_NONE, 283 IMSG_CTL_OK, 284 IMSG_CTL_FAIL, 285 IMSG_CTL_END, 286 IMSG_CTL_STATS, 287 IMSG_CTL_NSSTATS, 288 IMSG_CTL_LOG_VERBOSE, 289 290 IMSG_LDAPD_AUTH, 291 IMSG_LDAPD_AUTH_RESULT, 292 IMSG_LDAPD_OPEN, 293 IMSG_LDAPD_OPEN_RESULT, 294}; 295 296struct ns_stat { 297 char suffix[256]; 298 struct btree_stat data_stat; 299 struct btree_stat indx_stat; 300}; 301 302struct imsgev { 303 struct imsgbuf ibuf; 304 void (*handler)(int, short, void *); 305 struct event ev; 306 void *data; 307 short events; 308}; 309 310struct ctl_conn { 311 TAILQ_ENTRY(ctl_conn) entry; 312 u_int8_t flags; 313#define CTL_CONN_NOTIFY 0x01 314#define CTL_CONN_LOCKED 0x02 /* restricted mode */ 315 struct imsgev iev; 316}; 317TAILQ_HEAD(ctl_connlist, ctl_conn); 318extern struct ctl_connlist ctl_conns; 319 320 321struct control_sock { 322 const char *cs_name; 323 struct event cs_ev; 324 int cs_fd; 325 int cs_restricted; 326}; 327 328/* ldapd.c */ 329extern struct ldapd_stats stats; 330extern struct ldapd_config *conf; 331 332void fd_nonblock(int fd); 333void imsg_event_add(struct imsgev *iev); 334int imsg_compose_event(struct imsgev *iev, u_int16_t type, 335 u_int32_t peerid, pid_t pid, int fd, void *data, 336 u_int16_t datalen); 337int imsg_event_handle(struct imsgev *iev, short event); 338 339/* conn.c */ 340extern struct conn_list conn_list; 341struct conn *conn_by_fd(int fd); 342void conn_read(struct bufferevent *bev, void *data); 343void conn_write(struct bufferevent *bev, void *data); 344void conn_err(struct bufferevent *bev, short w, void *data); 345void conn_accept(int fd, short why, void *data); 346void conn_close(struct conn *conn); 347void conn_disconnect(struct conn *conn); 348void request_dispatch(struct request *req); 349void request_free(struct request *req); 350 351/* ldape.c */ 352pid_t ldape(struct passwd *pw, char *csockpath, 353 int pipe_parent2ldap[2]); 354int ldap_abandon(struct request *req); 355int ldap_unbind(struct request *req); 356int ldap_compare(struct request *req); 357int ldap_extended(struct request *req); 358 359void send_ldap_result(struct conn *conn, int msgid, 360 unsigned long type, long long result_code); 361int ldap_respond(struct request *req, int code); 362int ldap_refer(struct request *req, const char *basedn, 363 struct search *search, struct referrals *refs); 364 365/* namespace.c 366 */ 367struct namespace *namespace_new(const char *suffix); 368int namespace_open(struct namespace *ns); 369int namespace_reopen_data(struct namespace *ns); 370int namespace_reopen_indx(struct namespace *ns); 371int namespace_set_data_fd(struct namespace *ns, int fd); 372int namespace_set_indx_fd(struct namespace *ns, int fd); 373struct namespace *namespace_init(const char *suffix, const char *dir); 374void namespace_close(struct namespace *ns); 375void namespace_remove(struct namespace *ns); 376struct ber_element *namespace_get(struct namespace *ns, char *dn); 377int namespace_exists(struct namespace *ns, char *dn); 378int namespace_add(struct namespace *ns, char *dn, 379 struct ber_element *root); 380int namespace_update(struct namespace *ns, char *dn, 381 struct ber_element *root); 382int namespace_del(struct namespace *ns, char *dn); 383struct namespace *namespace_lookup_base(const char *basedn, 384 int include_referrals); 385struct namespace *namespace_for_base(const char *basedn); 386int namespace_has_referrals(struct namespace *ns); 387struct referrals *namespace_referrals(const char *basedn); 388int namespace_has_index(struct namespace *ns, 389 const char *attr, enum index_type type); 390int namespace_begin_txn(struct namespace *ns, 391 struct btree_txn **data_txn, 392 struct btree_txn **indx_txn, int rdonly); 393int namespace_begin(struct namespace *ns); 394int namespace_commit(struct namespace *ns); 395void namespace_abort(struct namespace *ns); 396int namespace_queue_request(struct namespace *ns, 397 struct request *req); 398void namespace_queue_schedule(struct namespace *ns, 399 unsigned int usec); 400void namespace_cancel_conn(struct conn *conn); 401 402int namespace_ber2db(struct namespace *ns, 403 struct ber_element *root, struct btval *val); 404struct ber_element *namespace_db2ber(struct namespace *ns, 405 struct btval *val); 406 407/* attributes.c */ 408struct ber_element *ldap_get_attribute(struct ber_element *root, 409 const char *attr); 410struct ber_element *ldap_find_attribute(struct ber_element *entry, 411 struct attr_type *at); 412struct ber_element *ldap_find_value(struct ber_element *elm, 413 const char *value); 414struct ber_element *ldap_add_attribute(struct ber_element *root, 415 const char *attr, struct ber_element *vals); 416int ldap_set_values(struct ber_element *elm, 417 struct ber_element *vals); 418int ldap_merge_values(struct ber_element *elm, 419 struct ber_element *vals); 420int ldap_del_attribute(struct ber_element *entry, 421 const char *attrdesc); 422int ldap_del_values(struct ber_element *elm, 423 struct ber_element *vals); 424char *ldap_strftime(time_t tm); 425char *ldap_now(void); 426 427/* control.c */ 428void control_init(struct control_sock *); 429void control_listen(struct control_sock *); 430void control_accept(int, short, void *); 431void control_dispatch_imsg(int, short, void *); 432void control_cleanup(struct control_sock *); 433 434/* filter.c */ 435int ldap_matches_filter(struct ber_element *root, 436 struct ber_element *filter); 437 438/* search.c */ 439int ldap_search(struct request *req); 440void conn_search(struct search *search); 441void search_close(struct search *search); 442int is_child_of(struct btval *key, const char *base); 443 444/* modify.c */ 445int ldap_add(struct request *req); 446int ldap_delete(struct request *req); 447int ldap_modify(struct request *req); 448 449/* auth.c */ 450extern struct imsgev *iev_ldapd; 451int ldap_bind(struct request *req); 452void ldap_bind_continue(struct conn *conn, int ok); 453int authorized(struct conn *conn, struct namespace *ns, 454 int rights, char *dn, int scope); 455 456/* parse.y */ 457int parse_config(char *filename); 458int cmdline_symset(char *s); 459 460/* log.c */ 461void log_init(int); 462void log_verbose(int v); 463void vlog(int, const char *, va_list); 464void logit(int pri, const char *fmt, ...); 465void log_warn(const char *, ...); 466void log_warnx(const char *, ...); 467void log_info(const char *, ...); 468void log_debug(const char *, ...); 469__dead void fatal(const char *); 470__dead void fatalx(const char *); 471const char *print_host(struct sockaddr_storage *ss, char *buf, 472 size_t len); 473 474/* util.c */ 475int bsnprintf(char *str, size_t size, 476 const char *format, ...); 477int has_suffix(struct btval *key, const char *suffix); 478int has_prefix(struct btval *key, const char *prefix); 479void normalize_dn(char *dn); 480int ber2db(struct ber_element *root, struct btval *val, 481 int compression_level); 482struct ber_element *db2ber(struct btval *val, int compression_level); 483 484/* index.c */ 485int index_entry(struct namespace *ns, struct btval *dn, 486 struct ber_element *elm); 487int unindex_entry(struct namespace *ns, struct btval *dn, 488 struct ber_element *elm); 489int index_to_dn(struct namespace *ns, struct btval *indx, 490 struct btval *dn); 491 492/* ssl.c */ 493void ssl_init(void); 494void ssl_transaction(struct conn *); 495 496void ssl_session_init(struct conn *); 497void ssl_session_destroy(struct conn *); 498int ssl_load_certfile(struct ldapd_config *, const char *, u_int8_t); 499void ssl_setup(struct ldapd_config *, struct listener *); 500int ssl_cmp(struct ssl *, struct ssl *); 501SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 502 503/* ssl_privsep.c */ 504int ssl_ctx_use_private_key(void *, char *, off_t); 505int ssl_ctx_use_certificate_chain(void *, char *, off_t); 506 507/* validate.c */ 508int validate_entry(const char *dn, struct ber_element *entry, int relax); 509 510#endif /* _LDAPD_H */ 511 512