[packages/squid.git] / squid-2.5.STABLE2-squid_ldap_auth.patch

Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8
diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.1
*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7	Fri Oct  5 16:30:38 2001
--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8	Thu May  8 14:15:55 2003
***************
*** 1,4 ****
! .TH squid_ldap_auth 8 "25 September 2001" "Squid LDAP Auth"
  .
  .SH NAME
  squid_ldap_auth - Squid LDAP authentication helper
--- 1,4 ----
! .TH squid_ldap_auth 8 "1 Mars 2003" "Squid LDAP Auth"
  .
  .SH NAME
  squid_ldap_auth - Squid LDAP authentication helper
***************
*** 68,73 ****
--- 68,83 ----
  Squid configuration file.
  .
  .TP
+ .BI "-D " "binddn " "-W " "secretfile "
+ The DN and the name of a file containing the password
+ to bind as while performing searches. 
+ .IP
+ Less insecure version of the former parameter pair with two advantages:
+ The password does not occur in the process listing, 
+ and the password is not being compromised if someone gets the squid 
+ configuration file without getting the secretfile.
+ .
+ .TP
  .BI -P
  Use a persistent LDAP connection. Normally the LDAP connection
  is only open while validating a username to preserve resources
***************
*** 93,104 ****
--- 103,134 ----
  the base object
  .
  .TP
+ .BI -H " ldapuri"
+ Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries)
+ .
+ .TP
  .BI -h " ldapserver"
  Specify the LDAP server to connect to
  .TP
  .BI -p " ldapport"
  Specify an alternate TCP port where the ldap server is listening if
  other than the default LDAP port 389.
+ .
+ .TP
+ .BI -Z
+ Use TLS encryption
+ .
+ .TP
+ .BI -S certpath
+ Enable LDAP over SSL (requires Netscape LDAP API libraries)
+ .
+ .TP
+ .BI -c connect_timeout
+ Specify timeout used when connecting to LDAP servers (requires
+ Netscape LDAP API libraries)
+ .TP
+ .BI -t search_timeout
+ Specify time limit on LDAP search operations
  .
  .SH EXAMPLES
  For directories using the RFC2307 layout with a single domain, all
Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.5
*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4	Mon May  5 18:37:31 2003
--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c	Thu May  8 14:15:55 2003
***************
*** 1,20 ****
  /*
   * squid_ldap_auth: authentication via ldap for squid proxy server
   * 
!  * Maintainer: Henrik Nordstrom <hno@squid-cache.org>
   *
!  * Author: Glen Newton 
   * glen.newton@nrc.ca
   * Advanced Services 
   * CISTI
   * National Research Council
   * 
   * Usage: squid_ldap_auth -b basedn [-s searchscope]
   *                        [-f searchfilter] [-D binddn -w bindpasswd]
   *                        [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
   * 
   * Dependencies: You need to get the OpenLDAP libraries
!  * from http://www.openldap.org
   * 
   * License: squid_ldap_auth is free software; you can redistribute it 
   * and/or modify it under the terms of the GNU General Public License 
--- 1,28 ----
  /*
   * squid_ldap_auth: authentication via ldap for squid proxy server
   * 
!  * Authors:
!  * Henrik Nordstrom
!  * hno@squid-cache.org
   *
!  * Glen Newton 
   * glen.newton@nrc.ca
   * Advanced Services 
   * CISTI
   * National Research Council
+  *
+  * with contributions from others mentioned in the Changes section below
   * 
   * Usage: squid_ldap_auth -b basedn [-s searchscope]
   *                        [-f searchfilter] [-D binddn -w bindpasswd]
   *                        [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
   * 
   * Dependencies: You need to get the OpenLDAP libraries
!  * from http://www.openldap.org or another compatible LDAP C-API
!  * implementation.
!  *
!  * If you want to make a TLS enabled connection you will also need the
!  * OpenSSL libraries linked into openldap. See http://www.openssl.org/
   * 
   * License: squid_ldap_auth is free software; you can redistribute it 
   * and/or modify it under the terms of the GNU General Public License 
***************
*** 22,27 ****
--- 30,47 ----
   * or (at your option) any later version.
   *
   * Changes:
+  * 2003-03-01: David J N Begley
+  * 	       - Support for Netscape API method of ldap over SSL
+  * 	         connections
+  * 	       - Timeout option for better recovery when using
+  * 	         multiple LDAP servers
+  * 2003-03-01: Christoph Lechleitner <lech@ibcl.at>
+  *             - Added -W option to read bindpasswd from file
+  * 2003-03-01: Juerg Michel
+  *             - Added support for ldap URI via the -H option
+  *               (requires OpenLDAP)
+  * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
+  *             - Added TLS support and partial ldap version 3 support. 
   * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
   *             - Be consistent with the other helpers in how
   *               spaces are managed. If there is space characters
***************
*** 55,61 ****
  
  #include "util.h"
  
! /* Change this to your search base */
  static char *basedn;
  static char *searchfilter = NULL;
  static char *binddn = NULL;
--- 75,83 ----
  
  #include "util.h"
  
! #define PROGRAM_NAME "squid_ldap_auth"
! 
! /* Global options */
  static char *basedn;
  static char *searchfilter = NULL;
  static char *binddn = NULL;
***************
*** 65,72 ****
--- 87,105 ----
  static int persistent = 0;
  static int noreferrals = 0;
  static int aliasderef = LDAP_DEREF_NEVER;
+ #if defined(NETSCAPE_SSL)
+ static char *sslpath = NULL;
+ static int sslinit = 0;
+ #endif
+ static int connect_timeout = 0;
+ static int timelimit = LDAP_NO_LIMIT;
+ 
+ /* Added for TLS support and version 3 */
+ static int use_tls = 0;
+ static int version = -1;
  
  static int checkLDAP(LDAP * ld, char *userid, char *password);
+ static int readSecret(char *filename);
  
  /* Yuck.. we need to glue to different versions of the API */
  
***************
*** 89,95 ****
      int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
      ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
  }
! 
  #else
  static int
  squid_ldap_errno(LDAP * ld)
--- 122,150 ----
      int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
      ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
  }
! static void
! squid_ldap_set_timelimit(LDAP *ld, int timelimit)
! {
!     ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
! }
! static void
! squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
! {
! #if defined(LDAP_OPT_NETWORK_TIMEOUT)
!     struct timeval tv;
!     tv.tv_sec = timelimit;
!     tv.tv_usec = 0;
!     ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
! #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
!     timelimit *= 1000;
!     ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
! #endif
! }
! static void
! squid_ldap_memfree(char *p)
! {
!     ldap_memfree(p);
! }
  #else
  static int
  squid_ldap_errno(LDAP * ld)
***************
*** 109,114 ****
--- 164,189 ----
      else
  	ld->ld_options &= ~LDAP_OPT_REFERRALS;
  }
+ static void squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+ {
+     ld->ld_timelimit = timelimit;
+ }
+ static void
+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+ {
+     fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
+ }
+ static void
+ squid_ldap_memfree(char *p)
+ {
+     free(p);
+ }
+ #endif
+ 
+ #ifdef LDAP_API_FEATURE_X_OPENLDAP
+   #if LDAP_VENDOR_VERSION > 194
+     #define HAS_URI_SUPPORT 1
+   #endif
  #endif
  
  int
***************
*** 129,134 ****
--- 204,211 ----
  	switch (option) {
  	case 'P':
  	case 'R':
+ 	case 'z':
+ 	case 'Z':
  	    break;
  	default:
  	    if (strlen(argv[1]) > 2) {
***************
*** 144,149 ****
--- 221,232 ----
  	argv++;
  	argc--;
  	switch (option) {
+ 	case 'H':
+ #if !HAS_URI_SUPPORT
+ 	    fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
+ 	    exit(1);
+ #endif
+ 	    /* Fall thru to -h */
  	case 'h':
  	    if (ldapServer) {
  		int len = strlen(ldapServer) + 1 + strlen(value) + 1;
***************
*** 172,181 ****
  	    else if (strcmp(value, "sub") == 0)
  		searchscope = LDAP_SCOPE_SUBTREE;
  	    else {
! 		fprintf(stderr, "squid_ldap_auth: ERROR: Unknown search scope '%s'\n", value);
  		exit(1);
  	    }
  	    break;
  	case 'a':
  	    if (strcmp(value, "never") == 0)
  		aliasderef = LDAP_DEREF_NEVER;
--- 255,280 ----
  	    else if (strcmp(value, "sub") == 0)
  		searchscope = LDAP_SCOPE_SUBTREE;
  	    else {
! 		fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value);
  		exit(1);
  	    }
  	    break;
+ 	case 'E':
+ #if defined(NETSCAPE_SSL)
+ 		sslpath = value;
+ 		if (port == LDAP_PORT)
+ 		    port = LDAPS_PORT;
+ #else
+ 		fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
+ 		exit(1);
+ #endif
+ 		break;
+ 	case 'c':
+ 		connect_timeout = atoi(value);
+ 		break;
+ 	case 't':
+ 		timelimit = atoi(value);
+ 		break;
  	case 'a':
  	    if (strcmp(value, "never") == 0)
  		aliasderef = LDAP_DEREF_NEVER;
***************
*** 186,192 ****
  	    else if (strcmp(value, "find") == 0)
  		aliasderef = LDAP_DEREF_FINDING;
  	    else {
! 		fprintf(stderr, "squid_ldap_auth: ERROR: Unknown alias dereference method '%s'\n", value);
  		exit(1);
  	    }
  	    break;
--- 285,291 ----
  	    else if (strcmp(value, "find") == 0)
  		aliasderef = LDAP_DEREF_FINDING;
  	    else {
! 		fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value);
  		exit(1);
  	    }
  	    break;
***************
*** 196,201 ****
--- 295,303 ----
  	case 'w':
  	    bindpasswd = value;
  	    break;
+ 	case 'W':
+ 	    readSecret (value);
+ 	    break;
  	case 'P':
  	    persistent = !persistent;
  	    break;
***************
*** 205,212 ****
  	case 'R':
  	    noreferrals = !noreferrals;
  	    break;
  	default:
! 	    fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
  	    exit(1);
  	}
      }
--- 307,338 ----
  	case 'R':
  	    noreferrals = !noreferrals;
  	    break;
+ #ifdef LDAP_VERSION3
+ 	case 'v':
+ 	    switch( atoi(value) ) {
+ 	    case 2:
+ 		version = LDAP_VERSION2;
+ 		break;
+ 	    case 3:
+ 		version = LDAP_VERSION3;
+ 		break;
+ 	    default:
+ 		fprintf( stderr, "Protocol version should be 2 or 3\n");
+ 		exit(1);
+ 	    }
+ 	    break;
+ 	case 'Z':
+ 	    if ( version == LDAP_VERSION2 ) {
+ 		fprintf( stderr, "TLS (-Z) is incompatible with version %d\n",
+ 			version);
+ 		exit(1);
+ 	    }
+ 	    version = LDAP_VERSION3;
+ 	    use_tls = 1;
+ 	    break;
+ #endif
  	default:
! 	    fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
  	    exit(1);
  	}
      }
***************
*** 229,249 ****
  	ldapServer = "localhost";
  
      if (!basedn) {
! 	fprintf(stderr, "Usage: squid_ldap_auth -b basedn [options] [ldap_server_name[:port]]...\n\n");
  	fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
  	fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
  	fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
  	fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
  	fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
  	fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
  	fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
  	fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
  	fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
  	fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
  	fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
  	fprintf(stderr, "\n");
  	fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
! 	fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
  	exit(1);
      }
      while (fgets(buf, 256, stdin) != NULL) {
--- 355,388 ----
  	ldapServer = "localhost";
  
      if (!basedn) {
! 	fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n");
  	fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
  	fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
  	fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
  	fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
  	fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
  	fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
+ 	fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
+ #if HAS_URI_SUPPORT
+ 	fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
+ #endif
  	fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
  	fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
  	fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
+ #if defined(NETSCAPE_SSL)
+ 	fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
+ #endif
+ 	fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
+ 	fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
  	fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
  	fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
+ #ifdef LDAP_VERSION3
+ 	fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
+ 	fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n");
+ #endif
  	fprintf(stderr, "\n");
  	fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
! 	fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
  	exit(1);
      }
      while (fgets(buf, 256, stdin) != NULL) {
***************
*** 259,269 ****
--- 398,456 ----
  	tryagain = 1;
        recover:
  	if (ld == NULL) {
+ #if HAS_URI_SUPPORT
+ 	    if (strstr(ldapServer, "://") != NULL) {
+ 		int rc = ldap_initialize( &ld, ldapServer );
+ 		if( rc != LDAP_SUCCESS ) {
+ 		    fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
+ 		    break;
+ 		}
+ 	    } else
+ #endif
+ #if NETSCAPE_SSL
+ 	    if (sslpath) {
+ 		if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
+ 		    fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
+ 			    sslpath);
+ 		    exit(1);
+ 		} else {
+ 		    sslinit++;
+ 		}
+ 		if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
+ 		    fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
+ 			    ldapServer, port);
+ 		    exit(1);
+ 		}
+ 	    } else
+ #endif
  	    if ((ld = ldap_init(ldapServer, port)) == NULL) {
  		fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
  		    ldapServer, port);
  		exit(1);
  	    }
+ 
+ 	    if (connect_timeout)
+ 		squid_ldap_set_connect_timeout(ld, connect_timeout);
+ 
+ #ifdef LDAP_VERSION3
+ 	    if (version == -1 ) {
+                 version = LDAP_VERSION2;
+ 	    }
+ 
+ 	    if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
+ 		    != LDAP_OPT_SUCCESS )
+ 	    {
+                 fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
+                         version );
+                 exit(1);
+ 	    }
+ 
+ 	    if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
+                 fprintf( stderr, "Could not Activate TLS connection\n");
+                 exit(1);
+ 	    }
+ #endif
+ 	    squid_ldap_set_timelimit(ld, timelimit);
  	    squid_ldap_set_referrals(ld, !noreferrals);
  	    squid_ldap_set_aliasderef(ld, aliasderef);
  	}
***************
*** 311,317 ****
  	if (binddn) {
  	    rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
  	    if (rc != LDAP_SUCCESS) {
! 		fprintf(stderr, "squid_ldap_auth: WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
  		return 1;
  	    }
  	}
--- 498,504 ----
  	if (binddn) {
  	    rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
  	    if (rc != LDAP_SUCCESS) {
! 		fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
  		return 1;
  	    }
  	}
***************
*** 323,329 ****
  		 * are disabled.
  		 */
  	    } else {
! 		fprintf(stderr, "squid_ldap_auth: WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
  		ldap_msgfree(res);
  		return 1;
  	    }
--- 510,522 ----
  		 * are disabled.
  		 */
  	    } else {
! 		fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
! #if defined(NETSCAPE_SSL)
! 		if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
! 		    int sslerr = PORT_GetError();
! 		    fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
! 		}
! #endif
  		ldap_msgfree(res);
  		return 1;
  	    }
***************
*** 335,346 ****
  	}
  	userdn = ldap_get_dn(ld, entry);
  	if (!userdn) {
! 	    fprintf(stderr, "squid_ldap_auth: ERROR, could not get user DN for '%s'\n", userid);
  	    ldap_msgfree(res);
  	    return 1;
  	}
  	snprintf(dn, sizeof(dn), "%s", userdn);
! 	free(userdn);
  	ldap_msgfree(res);
      } else {
  	snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
--- 528,539 ----
  	}
  	userdn = ldap_get_dn(ld, entry);
  	if (!userdn) {
! 	    fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
  	    ldap_msgfree(res);
  	    return 1;
  	}
  	snprintf(dn, sizeof(dn), "%s", userdn);
! 	squid_ldap_memfree(userdn);
  	ldap_msgfree(res);
      } else {
  	snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
***************
*** 350,353 ****
--- 543,579 ----
  	return 1;
  
      return 0;
+ }
+ 
+ int readSecret(char *filename)
+ {
+   char  buf[BUFSIZ];
+   char  *e=0;
+   FILE  *f;
+ 
+   if(!(f=fopen(filename, "r"))) {
+     fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
+     return 1;
+   }
+ 
+   if( !fgets(buf, sizeof(buf)-1, f)) {
+     fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+     fclose(f);
+     return 1;
+   }
+ 
+   /* strip whitespaces on end */
+   if((e = strrchr(buf, '\n'))) *e = 0;
+   if((e = strrchr(buf, '\r'))) *e = 0;
+ 
+   bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
+   if (bindpasswd) {
+     strcpy(bindpasswd, buf);
+   } else {
+     fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); 
+   }
+ 
+   fclose(f);
+ 
+   return 0;
  }
Commit	Line	Data
2de220a3 MW	1	Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8
	2	diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.1
	3	*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 Fri Oct 5 16:30:38 2001
	4	--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Thu May 8 14:15:55 2003
	5	***************
	6	* 1,4 **
	7	! .TH squid_ldap_auth 8 "25 September 2001" "Squid LDAP Auth"
	8	.
	9	.SH NAME
	10	squid_ldap_auth - Squid LDAP authentication helper
	11	--- 1,4 ----
	12	! .TH squid_ldap_auth 8 "1 Mars 2003" "Squid LDAP Auth"
	13	.
	14	.SH NAME
	15	squid_ldap_auth - Squid LDAP authentication helper
	16	***************
	17	* 68,73 **
	18	--- 68,83 ----
	19	Squid configuration file.
	20	.
	21	.TP
	22	+ .BI "-D " "binddn " "-W " "secretfile "
	23	+ The DN and the name of a file containing the password
	24	+ to bind as while performing searches.
	25	+ .IP
	26	+ Less insecure version of the former parameter pair with two advantages:
	27	+ The password does not occur in the process listing,
	28	+ and the password is not being compromised if someone gets the squid
	29	+ configuration file without getting the secretfile.
	30	+ .
	31	+ .TP
	32	.BI -P
	33	Use a persistent LDAP connection. Normally the LDAP connection
	34	is only open while validating a username to preserve resources
	35	***************
	36	* 93,104 **
	37	--- 103,134 ----
	38	the base object
	39	.
	40	.TP
	41	+ .BI -H " ldapuri"
	42	+ Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries)
	43	+ .
	44	+ .TP
	45	.BI -h " ldapserver"
	46	Specify the LDAP server to connect to
	47	.TP
	48	.BI -p " ldapport"
	49	Specify an alternate TCP port where the ldap server is listening if
	50	other than the default LDAP port 389.
	51	+ .
	52	+ .TP
	53	+ .BI -Z
	54	+ Use TLS encryption
	55	+ .
	56	+ .TP
	57	+ .BI -S certpath
	58	+ Enable LDAP over SSL (requires Netscape LDAP API libraries)
	59	+ .
	60	+ .TP
	61	+ .BI -c connect_timeout
	62	+ Specify timeout used when connecting to LDAP servers (requires
	63	+ Netscape LDAP API libraries)
	64	+ .TP
65	+ .BI -t search_timeout
66	+ Specify time limit on LDAP search operations
67	.
68	.SH EXAMPLES
69	For directories using the RFC2307 layout with a single domain, all
70	Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
71	diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.5
72	*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 Mon May 5 18:37:31 2003
73	--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu May 8 14:15:55 2003
74	***************
75	* 1,20 **
76	/*
77	* squid_ldap_auth: authentication via ldap for squid proxy server
78	*
79	! * Maintainer: Henrik Nordstrom <hno@squid-cache.org>
80	*
81	! * Author: Glen Newton
82	* glen.newton@nrc.ca
83	* Advanced Services
84	* CISTI
85	* National Research Council
86	*
87	* Usage: squid_ldap_auth -b basedn [-s searchscope]
88	* [-f searchfilter] [-D binddn -w bindpasswd]
89	* [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
90	*
91	* Dependencies: You need to get the OpenLDAP libraries
92	! * from http://www.openldap.org
93	*
94	* License: squid_ldap_auth is free software; you can redistribute it
95	* and/or modify it under the terms of the GNU General Public License
96	--- 1,28 ----
97	/*
98	* squid_ldap_auth: authentication via ldap for squid proxy server
99	*
100	! * Authors:
101	! * Henrik Nordstrom
102	! * hno@squid-cache.org
103	*
104	! * Glen Newton
105	* glen.newton@nrc.ca
106	* Advanced Services
107	* CISTI
108	* National Research Council
109	+ *
110	+ * with contributions from others mentioned in the Changes section below
111	*
112	* Usage: squid_ldap_auth -b basedn [-s searchscope]
113	* [-f searchfilter] [-D binddn -w bindpasswd]
114	* [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
115	*
116	* Dependencies: You need to get the OpenLDAP libraries
117	! * from http://www.openldap.org or another compatible LDAP C-API
118	! * implementation.
119	! *
120	! * If you want to make a TLS enabled connection you will also need the
121	! * OpenSSL libraries linked into openldap. See http://www.openssl.org/
122	*
123	* License: squid_ldap_auth is free software; you can redistribute it
124	* and/or modify it under the terms of the GNU General Public License
125	***************
126	* 22,27 **
127	--- 30,47 ----
128	* or (at your option) any later version.
129	*
130	* Changes:
131	+ * 2003-03-01: David J N Begley
132	+ * - Support for Netscape API method of ldap over SSL
133	+ * connections
134	+ * - Timeout option for better recovery when using
135	+ * multiple LDAP servers
136	+ * 2003-03-01: Christoph Lechleitner <lech@ibcl.at>
137	+ * - Added -W option to read bindpasswd from file
138	+ * 2003-03-01: Juerg Michel
139	+ * - Added support for ldap URI via the -H option
140	+ * (requires OpenLDAP)
141	+ * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
142	+ * - Added TLS support and partial ldap version 3 support.
143	* 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
144	* - Be consistent with the other helpers in how
145	* spaces are managed. If there is space characters
146	***************
147	* 55,61 **
148
149	#include "util.h"
150
151	! /* Change this to your search base */
152	static char *basedn;
153	static char *searchfilter = NULL;
154	static char *binddn = NULL;
155	--- 75,83 ----
156
157	#include "util.h"
158
159	! #define PROGRAM_NAME "squid_ldap_auth"
160	!
161	! /* Global options */
162	static char *basedn;
163	static char *searchfilter = NULL;
164	static char *binddn = NULL;
165	***************
166	* 65,72 **
167	--- 87,105 ----
168	static int persistent = 0;
169	static int noreferrals = 0;
170	static int aliasderef = LDAP_DEREF_NEVER;
171	+ #if defined(NETSCAPE_SSL)
172	+ static char *sslpath = NULL;
173	+ static int sslinit = 0;
174	+ #endif
175	+ static int connect_timeout = 0;
176	+ static int timelimit = LDAP_NO_LIMIT;
177	+
178	+ /* Added for TLS support and version 3 */
179	+ static int use_tls = 0;
180	+ static int version = -1;
181
182	static int checkLDAP(LDAP * ld, char userid, char password);
183	+ static int readSecret(char *filename);
184
185	/* Yuck.. we need to glue to different versions of the API */
186
187	***************
188	* 89,95 **
189	int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
190	ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
191	}
192	!
193	#else
194	static int
195	squid_ldap_errno(LDAP * ld)
196	--- 122,150 ----
197	int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
198	ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
199	}
200	! static void
201	! squid_ldap_set_timelimit(LDAP *ld, int timelimit)
202	! {
203	! ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
204	! }
205	! static void
206	! squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
207	! {
208	! #if defined(LDAP_OPT_NETWORK_TIMEOUT)
209	! struct timeval tv;
210	! tv.tv_sec = timelimit;
211	! tv.tv_usec = 0;
212	! ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
213	! #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
214	! timelimit *= 1000;
215	! ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
216	! #endif
217	! }
218	! static void
219	! squid_ldap_memfree(char *p)
220	! {
221	! ldap_memfree(p);
222	! }
223	#else
224	static int
225	squid_ldap_errno(LDAP * ld)
226	***************
227	* 109,114 **
228	--- 164,189 ----
229	else
230	ld->ld_options &= ~LDAP_OPT_REFERRALS;
231	}
232	+ static void squid_ldap_set_timelimit(LDAP *ld, int timelimit)
233	+ {
234	+ ld->ld_timelimit = timelimit;
235	+ }
236	+ static void
237	+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
238	+ {
239	+ fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
240	+ }
241	+ static void
242	+ squid_ldap_memfree(char *p)
243	+ {
244	+ free(p);
245	+ }
246	+ #endif
247	+
248	+ #ifdef LDAP_API_FEATURE_X_OPENLDAP
249	+ #if LDAP_VENDOR_VERSION > 194
250	+ #define HAS_URI_SUPPORT 1
251	+ #endif
252	#endif
253
254	int
255	***************
256	* 129,134 **
257	--- 204,211 ----
258	switch (option) {
259	case 'P':
260	case 'R':
261	+ case 'z':
262	+ case 'Z':
263	break;
264	default:
265	if (strlen(argv[1]) > 2) {
266	***************
267	* 144,149 **
268	--- 221,232 ----
269	argv++;
270	argc--;
271	switch (option) {
272	+ case 'H':
273	+ #if !HAS_URI_SUPPORT
274	+ fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
275	+ exit(1);
276	+ #endif
277	+ /* Fall thru to -h */
278	case 'h':
279	if (ldapServer) {
280	int len = strlen(ldapServer) + 1 + strlen(value) + 1;
281	***************
282	* 172,181 **
283	else if (strcmp(value, "sub") == 0)
284	searchscope = LDAP_SCOPE_SUBTREE;
285	else {
286	! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown search scope '%s'\n", value);
287	exit(1);
288	}
289	break;
290	case 'a':
291	if (strcmp(value, "never") == 0)
292	aliasderef = LDAP_DEREF_NEVER;
293	--- 255,280 ----
294	else if (strcmp(value, "sub") == 0)
295	searchscope = LDAP_SCOPE_SUBTREE;
296	else {
297	! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value);
298	exit(1);
299	}
300	break;
301	+ case 'E':
302	+ #if defined(NETSCAPE_SSL)
303	+ sslpath = value;
304	+ if (port == LDAP_PORT)
305	+ port = LDAPS_PORT;
306	+ #else
307	+ fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
308	+ exit(1);
309	+ #endif
310	+ break;
311	+ case 'c':
312	+ connect_timeout = atoi(value);
313	+ break;
314	+ case 't':
315	+ timelimit = atoi(value);
316	+ break;
317	case 'a':
318	if (strcmp(value, "never") == 0)
319	aliasderef = LDAP_DEREF_NEVER;
320	***************
321	* 186,192 **
322	else if (strcmp(value, "find") == 0)
323	aliasderef = LDAP_DEREF_FINDING;
324	else {
325	! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown alias dereference method '%s'\n", value);
326	exit(1);
327	}
328	break;
329	--- 285,291 ----
330	else if (strcmp(value, "find") == 0)
331	aliasderef = LDAP_DEREF_FINDING;
332	else {
333	! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value);
334	exit(1);
335	}
336	break;
337	***************
338	* 196,201 **
339	--- 295,303 ----
340	case 'w':
341	bindpasswd = value;
342	break;
343	+ case 'W':
344	+ readSecret (value);
345	+ break;
346	case 'P':
347	persistent = !persistent;
348	break;
349	***************
350	* 205,212 **
351	case 'R':
352	noreferrals = !noreferrals;
353	break;
354	default:
355	! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
356	exit(1);
357	}
358	}
359	--- 307,338 ----
360	case 'R':
361	noreferrals = !noreferrals;
362	break;
363	+ #ifdef LDAP_VERSION3
364	+ case 'v':
365	+ switch( atoi(value) ) {
366	+ case 2:
367	+ version = LDAP_VERSION2;
368	+ break;
369	+ case 3:
370	+ version = LDAP_VERSION3;
371	+ break;
372	+ default:
373	+ fprintf( stderr, "Protocol version should be 2 or 3\n");
374	+ exit(1);
375	+ }
376	+ break;
377	+ case 'Z':
378	+ if ( version == LDAP_VERSION2 ) {
379	+ fprintf( stderr, "TLS (-Z) is incompatible with version %d\n",
380	+ version);
381	+ exit(1);
382	+ }
383	+ version = LDAP_VERSION3;
384	+ use_tls = 1;
385	+ break;
386	+ #endif
387	default:
388	! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
389	exit(1);
390	}
391	}
392	***************
393	* 229,249 **
394	ldapServer = "localhost";
395
396	if (!basedn) {
397	! fprintf(stderr, "Usage: squid_ldap_auth -b basedn [options] [ldap_server_name[:port]]...\n\n");
398	fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
399	fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
400	fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
401	fprintf(stderr, "\t-s base\|one\|sub\t\tsearch scope\n");
402	fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
403	fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
404	fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
405	fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
406	fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
407	fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
408	fprintf(stderr, "\t-a never\|always\|search\|find\n\t\t\t\twhen to dereference aliases\n");
409	fprintf(stderr, "\n");
410	fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
411	! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
412	exit(1);
413	}
414	while (fgets(buf, 256, stdin) != NULL) {
415	--- 355,388 ----
416	ldapServer = "localhost";
417
418	if (!basedn) {
419	! fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n");
420	fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
421	fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
422	fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
423	fprintf(stderr, "\t-s base\|one\|sub\t\tsearch scope\n");
424	fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
425	fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
426	+ fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
427	+ #if HAS_URI_SUPPORT
428	+ fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
429	+ #endif
430	fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
431	fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
432	fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
433	+ #if defined(NETSCAPE_SSL)
434	+ fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
435	+ #endif
436	+ fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
437	+ fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
438	fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
439	fprintf(stderr, "\t-a never\|always\|search\|find\n\t\t\t\twhen to dereference aliases\n");
440	+ #ifdef LDAP_VERSION3
441	+ fprintf(stderr, "\t-v 2\|3\t\t\tLDAP version\n");
442	+ fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n");
443	+ #endif
444	fprintf(stderr, "\n");
445	fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
446	! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
447	exit(1);
448	}
449	while (fgets(buf, 256, stdin) != NULL) {
450	***************
451	* 259,269 **
452	--- 398,456 ----
453	tryagain = 1;
454	recover:
455	if (ld == NULL) {
456	+ #if HAS_URI_SUPPORT
457	+ if (strstr(ldapServer, "://") != NULL) {
458	+ int rc = ldap_initialize( &ld, ldapServer );
459	+ if( rc != LDAP_SUCCESS ) {
460	+ fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
461	+ break;
462	+ }
463	+ } else
464	+ #endif
465	+ #if NETSCAPE_SSL
466	+ if (sslpath) {
467	+ if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
468	+ fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
469	+ sslpath);
470	+ exit(1);
471	+ } else {
472	+ sslinit++;
473	+ }
474	+ if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
475	+ fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
476	+ ldapServer, port);
477	+ exit(1);
478	+ }
479	+ } else
480	+ #endif
481	if ((ld = ldap_init(ldapServer, port)) == NULL) {
482	fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
483	ldapServer, port);
484	exit(1);
485	}
486	+
487	+ if (connect_timeout)
488	+ squid_ldap_set_connect_timeout(ld, connect_timeout);
489	+
490	+ #ifdef LDAP_VERSION3
491	+ if (version == -1 ) {
492	+ version = LDAP_VERSION2;
493	+ }
494	+
495	+ if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
496	+ != LDAP_OPT_SUCCESS )
497	+ {
498	+ fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
499	+ version );
500	+ exit(1);
501	+ }
502	+
503	+ if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
504	+ fprintf( stderr, "Could not Activate TLS connection\n");
505	+ exit(1);
506	+ }
507	+ #endif
508	+ squid_ldap_set_timelimit(ld, timelimit);
509	squid_ldap_set_referrals(ld, !noreferrals);
510	squid_ldap_set_aliasderef(ld, aliasderef);
511	}
512	***************
513	* 311,317 **
514	if (binddn) {
515	rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
516	if (rc != LDAP_SUCCESS) {
517	! fprintf(stderr, "squid_ldap_auth: WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
518	return 1;
519	}
520	}
521	--- 498,504 ----
522	if (binddn) {
523	rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
524	if (rc != LDAP_SUCCESS) {
525	! fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
526	return 1;
527	}
528	}
529	***************
530	* 323,329 **
531	* are disabled.
532	*/
533	} else {
534	! fprintf(stderr, "squid_ldap_auth: WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
535	ldap_msgfree(res);
536	return 1;
537	}
538	--- 510,522 ----
539	* are disabled.
540	*/
541	} else {
542	! fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
543	! #if defined(NETSCAPE_SSL)
544	! if (sslpath && ((rc == LDAP_SERVER_DOWN) \|\| (rc == LDAP_CONNECT_ERROR))) {
545	! int sslerr = PORT_GetError();
546	! fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
547	! }
548	! #endif
549	ldap_msgfree(res);
550	return 1;
551	}
552	***************
553	* 335,346 **
554	}
555	userdn = ldap_get_dn(ld, entry);
556	if (!userdn) {
557	! fprintf(stderr, "squid_ldap_auth: ERROR, could not get user DN for '%s'\n", userid);
558	ldap_msgfree(res);
559	return 1;
560	}
561	snprintf(dn, sizeof(dn), "%s", userdn);
562	! free(userdn);
563	ldap_msgfree(res);
564	} else {
565	snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
566	--- 528,539 ----
567	}
568	userdn = ldap_get_dn(ld, entry);
569	if (!userdn) {
570	! fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
571	ldap_msgfree(res);
572	return 1;
573	}
574	snprintf(dn, sizeof(dn), "%s", userdn);
575	! squid_ldap_memfree(userdn);
576	ldap_msgfree(res);
577	} else {
578	snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
579	***************
580	* 350,353 **
581	--- 543,579 ----
582	return 1;
583
584	return 0;
585	+ }
586	+
587	+ int readSecret(char *filename)
588	+ {
589	+ char buf[BUFSIZ];
590	+ char *e=0;
591	+ FILE *f;
592	+
593	+ if(!(f=fopen(filename, "r"))) {
594	+ fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
595	+ return 1;
596	+ }
597	+
598	+ if( !fgets(buf, sizeof(buf)-1, f)) {
599	+ fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
600	+ fclose(f);
601	+ return 1;
602	+ }
603	+
604	+ /* strip whitespaces on end */
605	+ if((e = strrchr(buf, '\n'))) *e = 0;
606	+ if((e = strrchr(buf, '\r'))) *e = 0;
607	+
608	+ bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
609	+ if (bindpasswd) {
610	+ strcpy(bindpasswd, buf);
611	+ } else {
612	+ fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
613	+ }
614	+
615	+ fclose(f);
616	+
617	+ return 0;
618	}