]>
Commit | Line | Data |
---|---|---|
2de220a3 MW |
1 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 |
2 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.1 | |
3 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 Fri Oct 5 16:30:38 2001 | |
4 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Thu May 8 14:15:55 2003 | |
5 | *************** | |
6 | *** 1,4 **** | |
7 | ! .TH squid_ldap_auth 8 "25 September 2001" "Squid LDAP Auth" | |
8 | . | |
9 | .SH NAME | |
10 | squid_ldap_auth - Squid LDAP authentication helper | |
11 | --- 1,4 ---- | |
12 | ! .TH squid_ldap_auth 8 "1 Mars 2003" "Squid LDAP Auth" | |
13 | . | |
14 | .SH NAME | |
15 | squid_ldap_auth - Squid LDAP authentication helper | |
16 | *************** | |
17 | *** 68,73 **** | |
18 | --- 68,83 ---- | |
19 | Squid configuration file. | |
20 | . | |
21 | .TP | |
22 | + .BI "-D " "binddn " "-W " "secretfile " | |
23 | + The DN and the name of a file containing the password | |
24 | + to bind as while performing searches. | |
25 | + .IP | |
26 | + Less insecure version of the former parameter pair with two advantages: | |
27 | + The password does not occur in the process listing, | |
28 | + and the password is not being compromised if someone gets the squid | |
29 | + configuration file without getting the secretfile. | |
30 | + . | |
31 | + .TP | |
32 | .BI -P | |
33 | Use a persistent LDAP connection. Normally the LDAP connection | |
34 | is only open while validating a username to preserve resources | |
35 | *************** | |
36 | *** 93,104 **** | |
37 | --- 103,134 ---- | |
38 | the base object | |
39 | . | |
40 | .TP | |
41 | + .BI -H " ldapuri" | |
42 | + Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries) | |
43 | + . | |
44 | + .TP | |
45 | .BI -h " ldapserver" | |
46 | Specify the LDAP server to connect to | |
47 | .TP | |
48 | .BI -p " ldapport" | |
49 | Specify an alternate TCP port where the ldap server is listening if | |
50 | other than the default LDAP port 389. | |
51 | + . | |
52 | + .TP | |
53 | + .BI -Z | |
54 | + Use TLS encryption | |
55 | + . | |
56 | + .TP | |
57 | + .BI -S certpath | |
58 | + Enable LDAP over SSL (requires Netscape LDAP API libraries) | |
59 | + . | |
60 | + .TP | |
61 | + .BI -c connect_timeout | |
62 | + Specify timeout used when connecting to LDAP servers (requires | |
63 | + Netscape LDAP API libraries) | |
64 | + .TP | |
65 | + .BI -t search_timeout | |
66 | + Specify time limit on LDAP search operations | |
67 | . | |
68 | .SH EXAMPLES | |
69 | For directories using the RFC2307 layout with a single domain, all | |
70 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c | |
71 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.5 | |
72 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 Mon May 5 18:37:31 2003 | |
73 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu May 8 14:15:55 2003 | |
74 | *************** | |
75 | *** 1,20 **** | |
76 | /* | |
77 | * squid_ldap_auth: authentication via ldap for squid proxy server | |
78 | * | |
79 | ! * Maintainer: Henrik Nordstrom <hno@squid-cache.org> | |
80 | * | |
81 | ! * Author: Glen Newton | |
82 | * glen.newton@nrc.ca | |
83 | * Advanced Services | |
84 | * CISTI | |
85 | * National Research Council | |
86 | * | |
87 | * Usage: squid_ldap_auth -b basedn [-s searchscope] | |
88 | * [-f searchfilter] [-D binddn -w bindpasswd] | |
89 | * [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ... | |
90 | * | |
91 | * Dependencies: You need to get the OpenLDAP libraries | |
92 | ! * from http://www.openldap.org | |
93 | * | |
94 | * License: squid_ldap_auth is free software; you can redistribute it | |
95 | * and/or modify it under the terms of the GNU General Public License | |
96 | --- 1,28 ---- | |
97 | /* | |
98 | * squid_ldap_auth: authentication via ldap for squid proxy server | |
99 | * | |
100 | ! * Authors: | |
101 | ! * Henrik Nordstrom | |
102 | ! * hno@squid-cache.org | |
103 | * | |
104 | ! * Glen Newton | |
105 | * glen.newton@nrc.ca | |
106 | * Advanced Services | |
107 | * CISTI | |
108 | * National Research Council | |
109 | + * | |
110 | + * with contributions from others mentioned in the Changes section below | |
111 | * | |
112 | * Usage: squid_ldap_auth -b basedn [-s searchscope] | |
113 | * [-f searchfilter] [-D binddn -w bindpasswd] | |
114 | * [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ... | |
115 | * | |
116 | * Dependencies: You need to get the OpenLDAP libraries | |
117 | ! * from http://www.openldap.org or another compatible LDAP C-API | |
118 | ! * implementation. | |
119 | ! * | |
120 | ! * If you want to make a TLS enabled connection you will also need the | |
121 | ! * OpenSSL libraries linked into openldap. See http://www.openssl.org/ | |
122 | * | |
123 | * License: squid_ldap_auth is free software; you can redistribute it | |
124 | * and/or modify it under the terms of the GNU General Public License | |
125 | *************** | |
126 | *** 22,27 **** | |
127 | --- 30,47 ---- | |
128 | * or (at your option) any later version. | |
129 | * | |
130 | * Changes: | |
131 | + * 2003-03-01: David J N Begley | |
132 | + * - Support for Netscape API method of ldap over SSL | |
133 | + * connections | |
134 | + * - Timeout option for better recovery when using | |
135 | + * multiple LDAP servers | |
136 | + * 2003-03-01: Christoph Lechleitner <lech@ibcl.at> | |
137 | + * - Added -W option to read bindpasswd from file | |
138 | + * 2003-03-01: Juerg Michel | |
139 | + * - Added support for ldap URI via the -H option | |
140 | + * (requires OpenLDAP) | |
141 | + * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com> | |
142 | + * - Added TLS support and partial ldap version 3 support. | |
143 | * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org> | |
144 | * - Be consistent with the other helpers in how | |
145 | * spaces are managed. If there is space characters | |
146 | *************** | |
147 | *** 55,61 **** | |
148 | ||
149 | #include "util.h" | |
150 | ||
151 | ! /* Change this to your search base */ | |
152 | static char *basedn; | |
153 | static char *searchfilter = NULL; | |
154 | static char *binddn = NULL; | |
155 | --- 75,83 ---- | |
156 | ||
157 | #include "util.h" | |
158 | ||
159 | ! #define PROGRAM_NAME "squid_ldap_auth" | |
160 | ! | |
161 | ! /* Global options */ | |
162 | static char *basedn; | |
163 | static char *searchfilter = NULL; | |
164 | static char *binddn = NULL; | |
165 | *************** | |
166 | *** 65,72 **** | |
167 | --- 87,105 ---- | |
168 | static int persistent = 0; | |
169 | static int noreferrals = 0; | |
170 | static int aliasderef = LDAP_DEREF_NEVER; | |
171 | + #if defined(NETSCAPE_SSL) | |
172 | + static char *sslpath = NULL; | |
173 | + static int sslinit = 0; | |
174 | + #endif | |
175 | + static int connect_timeout = 0; | |
176 | + static int timelimit = LDAP_NO_LIMIT; | |
177 | + | |
178 | + /* Added for TLS support and version 3 */ | |
179 | + static int use_tls = 0; | |
180 | + static int version = -1; | |
181 | ||
182 | static int checkLDAP(LDAP * ld, char *userid, char *password); | |
183 | + static int readSecret(char *filename); | |
184 | ||
185 | /* Yuck.. we need to glue to different versions of the API */ | |
186 | ||
187 | *************** | |
188 | *** 89,95 **** | |
189 | int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; | |
190 | ldap_set_option(ld, LDAP_OPT_REFERRALS, value); | |
191 | } | |
192 | ! | |
193 | #else | |
194 | static int | |
195 | squid_ldap_errno(LDAP * ld) | |
196 | --- 122,150 ---- | |
197 | int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; | |
198 | ldap_set_option(ld, LDAP_OPT_REFERRALS, value); | |
199 | } | |
200 | ! static void | |
201 | ! squid_ldap_set_timelimit(LDAP *ld, int timelimit) | |
202 | ! { | |
203 | ! ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); | |
204 | ! } | |
205 | ! static void | |
206 | ! squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) | |
207 | ! { | |
208 | ! #if defined(LDAP_OPT_NETWORK_TIMEOUT) | |
209 | ! struct timeval tv; | |
210 | ! tv.tv_sec = timelimit; | |
211 | ! tv.tv_usec = 0; | |
212 | ! ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); | |
213 | ! #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT) | |
214 | ! timelimit *= 1000; | |
215 | ! ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit); | |
216 | ! #endif | |
217 | ! } | |
218 | ! static void | |
219 | ! squid_ldap_memfree(char *p) | |
220 | ! { | |
221 | ! ldap_memfree(p); | |
222 | ! } | |
223 | #else | |
224 | static int | |
225 | squid_ldap_errno(LDAP * ld) | |
226 | *************** | |
227 | *** 109,114 **** | |
228 | --- 164,189 ---- | |
229 | else | |
230 | ld->ld_options &= ~LDAP_OPT_REFERRALS; | |
231 | } | |
232 | + static void squid_ldap_set_timelimit(LDAP *ld, int timelimit) | |
233 | + { | |
234 | + ld->ld_timelimit = timelimit; | |
235 | + } | |
236 | + static void | |
237 | + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) | |
238 | + { | |
239 | + fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); | |
240 | + } | |
241 | + static void | |
242 | + squid_ldap_memfree(char *p) | |
243 | + { | |
244 | + free(p); | |
245 | + } | |
246 | + #endif | |
247 | + | |
248 | + #ifdef LDAP_API_FEATURE_X_OPENLDAP | |
249 | + #if LDAP_VENDOR_VERSION > 194 | |
250 | + #define HAS_URI_SUPPORT 1 | |
251 | + #endif | |
252 | #endif | |
253 | ||
254 | int | |
255 | *************** | |
256 | *** 129,134 **** | |
257 | --- 204,211 ---- | |
258 | switch (option) { | |
259 | case 'P': | |
260 | case 'R': | |
261 | + case 'z': | |
262 | + case 'Z': | |
263 | break; | |
264 | default: | |
265 | if (strlen(argv[1]) > 2) { | |
266 | *************** | |
267 | *** 144,149 **** | |
268 | --- 221,232 ---- | |
269 | argv++; | |
270 | argc--; | |
271 | switch (option) { | |
272 | + case 'H': | |
273 | + #if !HAS_URI_SUPPORT | |
274 | + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); | |
275 | + exit(1); | |
276 | + #endif | |
277 | + /* Fall thru to -h */ | |
278 | case 'h': | |
279 | if (ldapServer) { | |
280 | int len = strlen(ldapServer) + 1 + strlen(value) + 1; | |
281 | *************** | |
282 | *** 172,181 **** | |
283 | else if (strcmp(value, "sub") == 0) | |
284 | searchscope = LDAP_SCOPE_SUBTREE; | |
285 | else { | |
286 | ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown search scope '%s'\n", value); | |
287 | exit(1); | |
288 | } | |
289 | break; | |
290 | case 'a': | |
291 | if (strcmp(value, "never") == 0) | |
292 | aliasderef = LDAP_DEREF_NEVER; | |
293 | --- 255,280 ---- | |
294 | else if (strcmp(value, "sub") == 0) | |
295 | searchscope = LDAP_SCOPE_SUBTREE; | |
296 | else { | |
297 | ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value); | |
298 | exit(1); | |
299 | } | |
300 | break; | |
301 | + case 'E': | |
302 | + #if defined(NETSCAPE_SSL) | |
303 | + sslpath = value; | |
304 | + if (port == LDAP_PORT) | |
305 | + port = LDAPS_PORT; | |
306 | + #else | |
307 | + fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n"); | |
308 | + exit(1); | |
309 | + #endif | |
310 | + break; | |
311 | + case 'c': | |
312 | + connect_timeout = atoi(value); | |
313 | + break; | |
314 | + case 't': | |
315 | + timelimit = atoi(value); | |
316 | + break; | |
317 | case 'a': | |
318 | if (strcmp(value, "never") == 0) | |
319 | aliasderef = LDAP_DEREF_NEVER; | |
320 | *************** | |
321 | *** 186,192 **** | |
322 | else if (strcmp(value, "find") == 0) | |
323 | aliasderef = LDAP_DEREF_FINDING; | |
324 | else { | |
325 | ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown alias dereference method '%s'\n", value); | |
326 | exit(1); | |
327 | } | |
328 | break; | |
329 | --- 285,291 ---- | |
330 | else if (strcmp(value, "find") == 0) | |
331 | aliasderef = LDAP_DEREF_FINDING; | |
332 | else { | |
333 | ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value); | |
334 | exit(1); | |
335 | } | |
336 | break; | |
337 | *************** | |
338 | *** 196,201 **** | |
339 | --- 295,303 ---- | |
340 | case 'w': | |
341 | bindpasswd = value; | |
342 | break; | |
343 | + case 'W': | |
344 | + readSecret (value); | |
345 | + break; | |
346 | case 'P': | |
347 | persistent = !persistent; | |
348 | break; | |
349 | *************** | |
350 | *** 205,212 **** | |
351 | case 'R': | |
352 | noreferrals = !noreferrals; | |
353 | break; | |
354 | default: | |
355 | ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option); | |
356 | exit(1); | |
357 | } | |
358 | } | |
359 | --- 307,338 ---- | |
360 | case 'R': | |
361 | noreferrals = !noreferrals; | |
362 | break; | |
363 | + #ifdef LDAP_VERSION3 | |
364 | + case 'v': | |
365 | + switch( atoi(value) ) { | |
366 | + case 2: | |
367 | + version = LDAP_VERSION2; | |
368 | + break; | |
369 | + case 3: | |
370 | + version = LDAP_VERSION3; | |
371 | + break; | |
372 | + default: | |
373 | + fprintf( stderr, "Protocol version should be 2 or 3\n"); | |
374 | + exit(1); | |
375 | + } | |
376 | + break; | |
377 | + case 'Z': | |
378 | + if ( version == LDAP_VERSION2 ) { | |
379 | + fprintf( stderr, "TLS (-Z) is incompatible with version %d\n", | |
380 | + version); | |
381 | + exit(1); | |
382 | + } | |
383 | + version = LDAP_VERSION3; | |
384 | + use_tls = 1; | |
385 | + break; | |
386 | + #endif | |
387 | default: | |
388 | ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option); | |
389 | exit(1); | |
390 | } | |
391 | } | |
392 | *************** | |
393 | *** 229,249 **** | |
394 | ldapServer = "localhost"; | |
395 | ||
396 | if (!basedn) { | |
397 | ! fprintf(stderr, "Usage: squid_ldap_auth -b basedn [options] [ldap_server_name[:port]]...\n\n"); | |
398 | fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n"); | |
399 | fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n"); | |
400 | fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n"); | |
401 | fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); | |
402 | fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); | |
403 | fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); | |
404 | fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); | |
405 | fprintf(stderr, "\t-p port\t\t\tLDAP server port\n"); | |
406 | fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); | |
407 | fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); | |
408 | fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); | |
409 | fprintf(stderr, "\n"); | |
410 | fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n"); | |
411 | ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n"); | |
412 | exit(1); | |
413 | } | |
414 | while (fgets(buf, 256, stdin) != NULL) { | |
415 | --- 355,388 ---- | |
416 | ldapServer = "localhost"; | |
417 | ||
418 | if (!basedn) { | |
419 | ! fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n"); | |
420 | fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n"); | |
421 | fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n"); | |
422 | fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n"); | |
423 | fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); | |
424 | fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); | |
425 | fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); | |
426 | + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n"); | |
427 | + #if HAS_URI_SUPPORT | |
428 | + fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); | |
429 | + #endif | |
430 | fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); | |
431 | fprintf(stderr, "\t-p port\t\t\tLDAP server port\n"); | |
432 | fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); | |
433 | + #if defined(NETSCAPE_SSL) | |
434 | + fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n"); | |
435 | + #endif | |
436 | + fprintf(stderr, "\t-c timeout\t\tconnect timeout\n"); | |
437 | + fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n"); | |
438 | fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); | |
439 | fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); | |
440 | + #ifdef LDAP_VERSION3 | |
441 | + fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n"); | |
442 | + fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n"); | |
443 | + #endif | |
444 | fprintf(stderr, "\n"); | |
445 | fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n"); | |
446 | ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); | |
447 | exit(1); | |
448 | } | |
449 | while (fgets(buf, 256, stdin) != NULL) { | |
450 | *************** | |
451 | *** 259,269 **** | |
452 | --- 398,456 ---- | |
453 | tryagain = 1; | |
454 | recover: | |
455 | if (ld == NULL) { | |
456 | + #if HAS_URI_SUPPORT | |
457 | + if (strstr(ldapServer, "://") != NULL) { | |
458 | + int rc = ldap_initialize( &ld, ldapServer ); | |
459 | + if( rc != LDAP_SUCCESS ) { | |
460 | + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); | |
461 | + break; | |
462 | + } | |
463 | + } else | |
464 | + #endif | |
465 | + #if NETSCAPE_SSL | |
466 | + if (sslpath) { | |
467 | + if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) { | |
468 | + fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n", | |
469 | + sslpath); | |
470 | + exit(1); | |
471 | + } else { | |
472 | + sslinit++; | |
473 | + } | |
474 | + if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) { | |
475 | + fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n", | |
476 | + ldapServer, port); | |
477 | + exit(1); | |
478 | + } | |
479 | + } else | |
480 | + #endif | |
481 | if ((ld = ldap_init(ldapServer, port)) == NULL) { | |
482 | fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", | |
483 | ldapServer, port); | |
484 | exit(1); | |
485 | } | |
486 | + | |
487 | + if (connect_timeout) | |
488 | + squid_ldap_set_connect_timeout(ld, connect_timeout); | |
489 | + | |
490 | + #ifdef LDAP_VERSION3 | |
491 | + if (version == -1 ) { | |
492 | + version = LDAP_VERSION2; | |
493 | + } | |
494 | + | |
495 | + if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) | |
496 | + != LDAP_OPT_SUCCESS ) | |
497 | + { | |
498 | + fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", | |
499 | + version ); | |
500 | + exit(1); | |
501 | + } | |
502 | + | |
503 | + if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) { | |
504 | + fprintf( stderr, "Could not Activate TLS connection\n"); | |
505 | + exit(1); | |
506 | + } | |
507 | + #endif | |
508 | + squid_ldap_set_timelimit(ld, timelimit); | |
509 | squid_ldap_set_referrals(ld, !noreferrals); | |
510 | squid_ldap_set_aliasderef(ld, aliasderef); | |
511 | } | |
512 | *************** | |
513 | *** 311,317 **** | |
514 | if (binddn) { | |
515 | rc = ldap_simple_bind_s(ld, binddn, bindpasswd); | |
516 | if (rc != LDAP_SUCCESS) { | |
517 | ! fprintf(stderr, "squid_ldap_auth: WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); | |
518 | return 1; | |
519 | } | |
520 | } | |
521 | --- 498,504 ---- | |
522 | if (binddn) { | |
523 | rc = ldap_simple_bind_s(ld, binddn, bindpasswd); | |
524 | if (rc != LDAP_SUCCESS) { | |
525 | ! fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); | |
526 | return 1; | |
527 | } | |
528 | } | |
529 | *************** | |
530 | *** 323,329 **** | |
531 | * are disabled. | |
532 | */ | |
533 | } else { | |
534 | ! fprintf(stderr, "squid_ldap_auth: WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); | |
535 | ldap_msgfree(res); | |
536 | return 1; | |
537 | } | |
538 | --- 510,522 ---- | |
539 | * are disabled. | |
540 | */ | |
541 | } else { | |
542 | ! fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); | |
543 | ! #if defined(NETSCAPE_SSL) | |
544 | ! if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { | |
545 | ! int sslerr = PORT_GetError(); | |
546 | ! fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); | |
547 | ! } | |
548 | ! #endif | |
549 | ldap_msgfree(res); | |
550 | return 1; | |
551 | } | |
552 | *************** | |
553 | *** 335,346 **** | |
554 | } | |
555 | userdn = ldap_get_dn(ld, entry); | |
556 | if (!userdn) { | |
557 | ! fprintf(stderr, "squid_ldap_auth: ERROR, could not get user DN for '%s'\n", userid); | |
558 | ldap_msgfree(res); | |
559 | return 1; | |
560 | } | |
561 | snprintf(dn, sizeof(dn), "%s", userdn); | |
562 | ! free(userdn); | |
563 | ldap_msgfree(res); | |
564 | } else { | |
565 | snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); | |
566 | --- 528,539 ---- | |
567 | } | |
568 | userdn = ldap_get_dn(ld, entry); | |
569 | if (!userdn) { | |
570 | ! fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid); | |
571 | ldap_msgfree(res); | |
572 | return 1; | |
573 | } | |
574 | snprintf(dn, sizeof(dn), "%s", userdn); | |
575 | ! squid_ldap_memfree(userdn); | |
576 | ldap_msgfree(res); | |
577 | } else { | |
578 | snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); | |
579 | *************** | |
580 | *** 350,353 **** | |
581 | --- 543,579 ---- | |
582 | return 1; | |
583 | ||
584 | return 0; | |
585 | + } | |
586 | + | |
587 | + int readSecret(char *filename) | |
588 | + { | |
589 | + char buf[BUFSIZ]; | |
590 | + char *e=0; | |
591 | + FILE *f; | |
592 | + | |
593 | + if(!(f=fopen(filename, "r"))) { | |
594 | + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); | |
595 | + return 1; | |
596 | + } | |
597 | + | |
598 | + if( !fgets(buf, sizeof(buf)-1, f)) { | |
599 | + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); | |
600 | + fclose(f); | |
601 | + return 1; | |
602 | + } | |
603 | + | |
604 | + /* strip whitespaces on end */ | |
605 | + if((e = strrchr(buf, '\n'))) *e = 0; | |
606 | + if((e = strrchr(buf, '\r'))) *e = 0; | |
607 | + | |
608 | + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1); | |
609 | + if (bindpasswd) { | |
610 | + strcpy(bindpasswd, buf); | |
611 | + } else { | |
612 | + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); | |
613 | + } | |
614 | + | |
615 | + fclose(f); | |
616 | + | |
617 | + return 0; | |
618 | } |