ldapd.h revision 1.22
197403Sobrien/* $OpenBSD: ldapd.h,v 1.22 2012/04/11 08:31:37 deraadt Exp $ */ 297403Sobrien 397403Sobrien/* 497403Sobrien * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 597403Sobrien * 697403Sobrien * Permission to use, copy, modify, and distribute this software for any 797403Sobrien * purpose with or without fee is hereby granted, provided that the above 897403Sobrien * copyright notice and this permission notice appear in all copies. 997403Sobrien * 1097403Sobrien * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1197403Sobrien * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1297403Sobrien * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1397403Sobrien * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1497403Sobrien * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1597403Sobrien * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1697403Sobrien * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1797403Sobrien */ 18169691Skan 1997403Sobrien#ifndef _LDAPD_H 2097403Sobrien#define _LDAPD_H 2197403Sobrien 2297403Sobrien#include <sys/queue.h> 2397403Sobrien#include <sys/socket.h> 2497403Sobrien#include <sys/tree.h> 2597403Sobrien#include <sys/types.h> 2697403Sobrien#include <sys/uio.h> 2797403Sobrien#include <sys/param.h> 2897403Sobrien 2997403Sobrien#include <event.h> 3097403Sobrien#include <imsg.h> 3197403Sobrien#include <limits.h> 3297403Sobrien#include <pwd.h> 3397403Sobrien#include <stdarg.h> 3497403Sobrien 3597403Sobrien#include "aldap.h" 3697403Sobrien#include "schema.h" 3797403Sobrien#include "btree.h" 3897403Sobrien#include "imsgev.h" 3997403Sobrien 4097403Sobrien#define CONFFILE "/etc/ldapd.conf" 4197403Sobrien#define LDAPD_USER "_ldapd" 4297403Sobrien#define LDAPD_SOCKET "/var/run/ldapd.sock" 4397403Sobrien#define DATADIR "/var/db/ldap" 4497403Sobrien#define LDAP_PORT 389 4597403Sobrien#define LDAPS_PORT 636 4697403Sobrien#define LDAPD_SESSION_TIMEOUT 30 4797403Sobrien#define MAX_LISTEN 64 4897403Sobrien 4997403Sobrien#define F_STARTTLS 0x01 5097403Sobrien#define F_LDAPS 0x02 5197403Sobrien#define F_SSL (F_LDAPS|F_STARTTLS) 5297403Sobrien 5397403Sobrien#define F_SECURE 0x04 5497403Sobrien 5597403Sobrien#define F_SCERT 0x01 5697403Sobrien 5797403Sobrienstruct conn; 5897403Sobrien 5997403Sobrienstruct aci { 6097403Sobrien SIMPLEQ_ENTRY(aci) entry; 6197403Sobrien#define ACI_DENY 0 6297403Sobrien#define ACI_ALLOW 1 6397403Sobrien int type; 64132720Skan#define ACI_READ 0x01 6597403Sobrien#define ACI_WRITE 0x02 6697403Sobrien#define ACI_COMPARE 0x04 6797403Sobrien#define ACI_CREATE 0x08 6897403Sobrien#define ACI_BIND 0x10 6997403Sobrien#define ACI_ALL 0x1F 7097403Sobrien int rights; 7197403Sobrien enum scope scope; /* base, onelevel or subtree */ 7297403Sobrien char *attribute; 7397403Sobrien char *target; 7497403Sobrien char *subject; 7597403Sobrien char *filter; 7697403Sobrien}; 7797403SobrienSIMPLEQ_HEAD(acl, aci); 7897403Sobrien 7997403Sobrien/* An LDAP request. 8097403Sobrien */ 8197403Sobrienstruct request { 8297403Sobrien TAILQ_ENTRY(request) next; 8397403Sobrien unsigned long type; 8497403Sobrien long long msgid; 8597403Sobrien struct ber_element *root; 8697403Sobrien struct ber_element *op; 8797403Sobrien struct conn *conn; 8897403Sobrien int replayed; /* true if replayed request */ 8997403Sobrien}; 9097403SobrienTAILQ_HEAD(request_queue, request); 9197403Sobrien 9297403Sobrienenum index_type { 9397403Sobrien INDEX_NONE, 94132720Skan INDEX_EQUAL = 1, 9597403Sobrien INDEX_APPROX = 1, 9697403Sobrien INDEX_PRESENCE = 1, 9797403Sobrien INDEX_SUBSTR 9897403Sobrien}; 9997403Sobrien 10097403Sobrienstruct attr_index { 10197403Sobrien TAILQ_ENTRY(attr_index) next; 10297403Sobrien char *attr; 10397403Sobrien enum index_type type; 10497403Sobrien}; 10597403SobrienTAILQ_HEAD(attr_index_list, attr_index); 10697403Sobrien 10797403Sobrienstruct referral { 10897403Sobrien SLIST_ENTRY(referral) next; 10997403Sobrien char *url; 11097403Sobrien}; 11197403SobrienSLIST_HEAD(referrals, referral); 11297403Sobrien 113struct namespace { 114 TAILQ_ENTRY(namespace) next; 115 char *suffix; 116 struct referrals referrals; 117 char *rootdn; 118 char *rootpw; 119 char *data_path; 120 char *indx_path; 121 struct btree *data_db; 122 struct btree *indx_db; 123 struct btree_txn *data_txn; 124 struct btree_txn *indx_txn; 125 int sync; /* 1 = fsync after commit */ 126 struct attr_index_list indices; 127 unsigned int cache_size; 128 unsigned int index_cache_size; 129 struct request_queue request_queue; 130 struct event ev_queue; 131 unsigned int queued_requests; 132 struct acl acl; 133 int relax; /* relax schema validation */ 134 int compression_level; /* 0-9, 0 = disabled */ 135}; 136 137TAILQ_HEAD(namespace_list, namespace); 138 139struct index 140{ 141 TAILQ_ENTRY(index) next; 142 char *prefix; 143}; 144 145/* A query plan. 146 */ 147struct plan 148{ 149 TAILQ_ENTRY(plan) next; 150 TAILQ_HEAD(, plan) args; 151 TAILQ_HEAD(, index) indices; 152 struct attr_type *at; 153 char *adesc; 154 union { 155 char *value; 156 struct ber_element *substring; 157 } assert; 158 int op; 159 int indexed; 160 int undefined; 161}; 162 163/* For OR filters using multiple indices, matches are not unique. Remember 164 * all DNs sent to the client to make them unique. 165 */ 166struct uniqdn { 167 RB_ENTRY(uniqdn) link; 168 struct btval key; 169}; 170RB_HEAD(dn_tree, uniqdn); 171RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 172 173/* An LDAP search request. 174 */ 175struct search { 176 TAILQ_ENTRY(search) next; 177 int init; /* 1 if cursor initiated */ 178 struct conn *conn; 179 struct request *req; 180 struct namespace *ns; 181 struct btree_txn *data_txn; 182 struct btree_txn *indx_txn; 183 struct cursor *cursor; 184 unsigned int nscanned, nmatched, ndups; 185 time_t started_at; 186 long long szlim, tmlim; /* size and time limits */ 187 int typesonly; /* not implemented */ 188 long long scope; 189 long long deref; /* not implemented */ 190 char *basedn; 191 struct ber_element *filter, *attrlist; 192 struct plan *plan; 193 struct index *cindx; /* current index */ 194 struct dn_tree uniqdns; 195}; 196 197struct listener { 198 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 199 struct sockaddr_storage ss; 200 int port; 201 int fd; 202 struct event ev; 203 struct event evt; 204 char ssl_cert_name[PATH_MAX]; 205 struct ssl *ssl; 206 void *ssl_ctx; 207 TAILQ_ENTRY(listener) entry; 208}; 209TAILQ_HEAD(listenerlist, listener); 210 211/* An LDAP client connection. 212 */ 213struct conn { 214 TAILQ_ENTRY(conn) next; 215 int fd; 216 struct bufferevent *bev; 217 struct ber ber; 218 int disconnect; 219 struct request *bind_req; /* ongoing bind request */ 220 char *binddn; 221 char *pending_binddn; 222 TAILQ_HEAD(, search) searches; 223 struct listener *listener; /* where it connected from */ 224 225 /* SSL support */ 226 struct event s_ev; 227 struct timeval s_tv; 228 struct listener *s_l; 229 void *s_ssl; 230 unsigned char *s_buf; 231 int s_buflen; 232 unsigned int s_flags; 233}; 234TAILQ_HEAD(conn_list, conn) conn_list; 235 236struct ssl { 237 SPLAY_ENTRY(ssl) ssl_nodes; 238 char ssl_name[PATH_MAX]; 239 char *ssl_cert; 240 off_t ssl_cert_len; 241 char *ssl_key; 242 off_t ssl_key_len; 243 uint8_t flags; 244}; 245 246struct ldapd_config 247{ 248 struct namespace_list namespaces; 249 struct listenerlist listeners; 250 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 251 struct referrals referrals; 252 struct acl acl; 253 struct schema *schema; 254 char *rootdn; 255 char *rootpw; 256}; 257 258struct ldapd_stats 259{ 260 time_t started_at; /* time of daemon startup */ 261 unsigned long long requests; /* total number of requests */ 262 unsigned long long req_search; /* search requests */ 263 unsigned long long req_bind; /* bind requests */ 264 unsigned long long req_mod; /* add/mod/del requests */ 265 unsigned long long timeouts; /* search timeouts */ 266 unsigned long long unindexed; /* unindexed searches */ 267 unsigned int conns; /* active connections */ 268 unsigned int searches; /* active searches */ 269}; 270 271struct auth_req 272{ 273 int fd; 274 long long msgid; 275 char name[128]; 276 char password[128]; 277}; 278 279struct auth_res 280{ 281 int ok; 282 int fd; 283 long long msgid; 284}; 285 286struct open_req { 287 char path[MAXPATHLEN+1]; 288 unsigned int rdonly; 289}; 290 291enum imsg_type { 292 IMSG_NONE, 293 IMSG_CTL_OK, 294 IMSG_CTL_FAIL, 295 IMSG_CTL_END, 296 IMSG_CTL_STATS, 297 IMSG_CTL_NSSTATS, 298 IMSG_CTL_LOG_VERBOSE, 299 300 IMSG_LDAPD_AUTH, 301 IMSG_LDAPD_AUTH_RESULT, 302 IMSG_LDAPD_OPEN, 303 IMSG_LDAPD_OPEN_RESULT, 304}; 305 306struct ns_stat { 307 char suffix[256]; 308 struct btree_stat data_stat; 309 struct btree_stat indx_stat; 310}; 311 312struct ctl_conn { 313 TAILQ_ENTRY(ctl_conn) entry; 314 u_int8_t flags; 315#define CTL_CONN_NOTIFY 0x01 316#define CTL_CONN_LOCKED 0x02 /* restricted mode */ 317 struct imsgev iev; 318}; 319TAILQ_HEAD(ctl_connlist, ctl_conn); 320extern struct ctl_connlist ctl_conns; 321 322 323struct control_sock { 324 const char *cs_name; 325 struct event cs_ev; 326 struct event cs_evt; 327 int cs_fd; 328 int cs_restricted; 329}; 330 331/* ldapd.c */ 332extern struct ldapd_stats stats; 333extern struct ldapd_config *conf; 334 335void fd_nonblock(int fd); 336void imsg_event_add(struct imsgev *iev); 337int imsg_compose_event(struct imsgev *iev, u_int16_t type, 338 u_int32_t peerid, pid_t pid, int fd, void *data, 339 u_int16_t datalen); 340int imsg_event_handle(struct imsgev *iev, short event); 341 342/* conn.c */ 343extern struct conn_list conn_list; 344struct conn *conn_by_fd(int fd); 345void conn_read(struct bufferevent *bev, void *data); 346void conn_write(struct bufferevent *bev, void *data); 347void conn_err(struct bufferevent *bev, short w, void *data); 348void conn_accept(int fd, short why, void *data); 349void conn_close(struct conn *conn); 350void conn_disconnect(struct conn *conn); 351void request_dispatch(struct request *req); 352void request_free(struct request *req); 353 354/* ldape.c */ 355pid_t ldape(struct passwd *pw, char *csockpath, 356 int pipe_parent2ldap[2]); 357int ldap_abandon(struct request *req); 358int ldap_unbind(struct request *req); 359int ldap_compare(struct request *req); 360int ldap_extended(struct request *req); 361 362void send_ldap_result(struct conn *conn, int msgid, 363 unsigned long type, long long result_code); 364int ldap_respond(struct request *req, int code); 365int ldap_refer(struct request *req, const char *basedn, 366 struct search *search, struct referrals *refs); 367 368/* namespace.c 369 */ 370struct namespace *namespace_new(const char *suffix); 371int namespace_open(struct namespace *ns); 372int namespace_reopen_data(struct namespace *ns); 373int namespace_reopen_indx(struct namespace *ns); 374int namespace_set_data_fd(struct namespace *ns, int fd); 375int namespace_set_indx_fd(struct namespace *ns, int fd); 376struct namespace *namespace_init(const char *suffix, const char *dir); 377void namespace_close(struct namespace *ns); 378void namespace_remove(struct namespace *ns); 379struct ber_element *namespace_get(struct namespace *ns, char *dn); 380int namespace_exists(struct namespace *ns, char *dn); 381int namespace_add(struct namespace *ns, char *dn, 382 struct ber_element *root); 383int namespace_update(struct namespace *ns, char *dn, 384 struct ber_element *root); 385int namespace_del(struct namespace *ns, char *dn); 386struct namespace *namespace_lookup_base(const char *basedn, 387 int include_referrals); 388struct namespace *namespace_for_base(const char *basedn); 389int namespace_has_referrals(struct namespace *ns); 390struct referrals *namespace_referrals(const char *basedn); 391int namespace_has_index(struct namespace *ns, 392 const char *attr, enum index_type type); 393int namespace_begin_txn(struct namespace *ns, 394 struct btree_txn **data_txn, 395 struct btree_txn **indx_txn, int rdonly); 396int namespace_begin(struct namespace *ns); 397int namespace_commit(struct namespace *ns); 398void namespace_abort(struct namespace *ns); 399int namespace_queue_request(struct namespace *ns, 400 struct request *req); 401void namespace_queue_schedule(struct namespace *ns, 402 unsigned int usec); 403void namespace_cancel_conn(struct conn *conn); 404 405int namespace_ber2db(struct namespace *ns, 406 struct ber_element *root, struct btval *val); 407struct ber_element *namespace_db2ber(struct namespace *ns, 408 struct btval *val); 409 410/* attributes.c */ 411struct ber_element *ldap_get_attribute(struct ber_element *root, 412 const char *attr); 413struct ber_element *ldap_find_attribute(struct ber_element *entry, 414 struct attr_type *at); 415struct ber_element *ldap_find_value(struct ber_element *elm, 416 const char *value); 417struct ber_element *ldap_add_attribute(struct ber_element *root, 418 const char *attr, struct ber_element *vals); 419int ldap_set_values(struct ber_element *elm, 420 struct ber_element *vals); 421int ldap_merge_values(struct ber_element *elm, 422 struct ber_element *vals); 423int ldap_del_attribute(struct ber_element *entry, 424 const char *attrdesc); 425int ldap_del_values(struct ber_element *elm, 426 struct ber_element *vals); 427char *ldap_strftime(time_t tm); 428char *ldap_now(void); 429 430/* control.c */ 431void control_init(struct control_sock *); 432void control_listen(struct control_sock *); 433void control_accept(int, short, void *); 434void control_dispatch_imsg(int, short, void *); 435void control_cleanup(struct control_sock *); 436 437/* filter.c */ 438int ldap_matches_filter(struct ber_element *root, 439 struct plan *plan); 440 441/* search.c */ 442int ldap_search(struct request *req); 443void conn_search(struct search *search); 444void search_close(struct search *search); 445int is_child_of(struct btval *key, const char *base); 446 447/* modify.c */ 448int ldap_add(struct request *req); 449int ldap_delete(struct request *req); 450int ldap_modify(struct request *req); 451 452/* auth.c */ 453extern struct imsgev *iev_ldapd; 454int ldap_bind(struct request *req); 455void ldap_bind_continue(struct conn *conn, int ok); 456int authorized(struct conn *conn, struct namespace *ns, 457 int rights, char *dn, int scope); 458 459/* parse.y */ 460int parse_config(char *filename); 461int cmdline_symset(char *s); 462 463/* log.c */ 464void log_init(int); 465void log_verbose(int v); 466void vlog(int, const char *, va_list); 467void logit(int pri, const char *fmt, ...); 468void log_warn(const char *, ...); 469void log_warnx(const char *, ...); 470void log_info(const char *, ...); 471void log_debug(const char *, ...); 472__dead void fatal(const char *); 473__dead void fatalx(const char *); 474const char *print_host(struct sockaddr_storage *ss, char *buf, 475 size_t len); 476void hexdump(void *data, size_t len, const char *fmt, ...); 477void ldap_debug_elements(struct ber_element *root, 478 int context, const char *fmt, ...); 479 480/* util.c */ 481int bsnprintf(char *str, size_t size, 482 const char *format, ...); 483int has_suffix(struct btval *key, const char *suffix); 484int has_prefix(struct btval *key, const char *prefix); 485void normalize_dn(char *dn); 486int ber2db(struct ber_element *root, struct btval *val, 487 int compression_level); 488struct ber_element *db2ber(struct btval *val, int compression_level); 489 490/* index.c */ 491int index_entry(struct namespace *ns, struct btval *dn, 492 struct ber_element *elm); 493int unindex_entry(struct namespace *ns, struct btval *dn, 494 struct ber_element *elm); 495int index_to_dn(struct namespace *ns, struct btval *indx, 496 struct btval *dn); 497 498/* ssl.c */ 499void ssl_init(void); 500void ssl_transaction(struct conn *); 501 502void ssl_session_init(struct conn *); 503void ssl_session_destroy(struct conn *); 504int ssl_load_certfile(struct ldapd_config *, const char *, u_int8_t); 505void ssl_setup(struct ldapd_config *, struct listener *); 506int ssl_cmp(struct ssl *, struct ssl *); 507SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 508 509/* ssl_privsep.c */ 510int ssl_ctx_use_private_key(void *, char *, off_t); 511int ssl_ctx_use_certificate_chain(void *, char *, off_t); 512 513/* validate.c */ 514int validate_entry(const char *dn, struct ber_element *entry, int relax); 515 516#endif /* _LDAPD_H */ 517 518