]>
Commit | Line | Data |
---|---|---|
1 | Index: squid/helpers/external_acl/ldap_group/ChangeLog | |
2 | diff -c /dev/null squid/helpers/external_acl/ldap_group/ChangeLog:1.1.2.1 | |
3 | *** /dev/null Fri Nov 21 10:14:58 2003 | |
4 | --- squid/helpers/external_acl/ldap_group/ChangeLog Wed Nov 19 17:41:37 2003 | |
5 | *************** | |
6 | *** 0 **** | |
7 | --- 1,172 ---- | |
8 | + Version 2.12 | |
9 | + | |
10 | + 2003-03-01 Christoph Lechleitner <lech@ibcl.at> | |
11 | + Added -W option to read bindpasswd from file, | |
12 | + e.g. from /etc/ldap.secret | |
13 | + | |
14 | + 2003-03-01 Juerg Michel | |
15 | + | |
16 | + Added support for ldap URI via the -H option | |
17 | + | |
18 | + Version 2.11 | |
19 | + | |
20 | + 2003-01-31 Henrik Nordstrom <hno@marasystems.com> | |
21 | + | |
22 | + Packaged as a distribution, with Makefile, README | |
23 | + and INSTALL | |
24 | + | |
25 | + Corrected the squid.conf examples in the manpage and | |
26 | + some spelling in the same | |
27 | + | |
28 | + Separated the changelog/history to a separate | |
29 | + ChangeLog file (this file) | |
30 | + | |
31 | + 2003-01-27 Henrik Nordstrom <hno@marasystems.com> | |
32 | + | |
33 | + Cleaned up error messages shown when a nonexisting | |
34 | + user tries to log in | |
35 | + | |
36 | + Version 2.10 | |
37 | + | |
38 | + 2003-01-07 Jon Kinred | |
39 | + | |
40 | + Fixed user search mode (-F/-u) when -g is not used | |
41 | + | |
42 | + Version 2.9 | |
43 | + | |
44 | + 2003-01-03 Henrik Nordstrom <hno@marasystems.com> | |
45 | + | |
46 | + Fixed missing string termination on ldap_escape_vale, | |
47 | + and corrected build problem with LDAPv2 libraries | |
48 | + | |
49 | + Version 2.8 | |
50 | + | |
51 | + 2002-11-27 Henrik Nordstrom <hno@marasystems.com> | |
52 | + | |
53 | + Replacement for ldap_build_filter. Also changed | |
54 | + the % codes to %u (user) and %g (group) which | |
55 | + is a bit more intuitive. | |
56 | + | |
57 | + 2002-11-21 Gerard Eviston | |
58 | + | |
59 | + Fix ldap_search_s error management. This fixes | |
60 | + a core dump if there is a LDAP search filter | |
61 | + syntax error (possibly caused by malformed input). | |
62 | + | |
63 | + Version 2.7 | |
64 | + | |
65 | + 2002-10-22: Henrik Nordstrom <hno@marasystems.com> | |
66 | + | |
67 | + strwordtok bugfix | |
68 | + | |
69 | + Version 2.6 | |
70 | + | |
71 | + 2002-09-21: Gerard Eviston | |
72 | + | |
73 | + -S option to strip NT domain names from | |
74 | + login names | |
75 | + | |
76 | + Version 2.5 | |
77 | + | |
78 | + 2002-09-09: Henrik Nordstrom <hno@marasystems.com> | |
79 | + | |
80 | + Added support for user DN lookups | |
81 | + (-u -B -F options) | |
82 | + | |
83 | + Version 2.4 | |
84 | + | |
85 | + 2002-09-06: Henrik Nordstrom <hno@marasystems.com> | |
86 | + | |
87 | + Many bugfixes in connection management | |
88 | + | |
89 | + -g option added, and added support | |
90 | + for multiple groups. Prior versions | |
91 | + only supported one group and an optional | |
92 | + group base RDN | |
93 | + | |
94 | + Version 2.3 | |
95 | + | |
96 | + 2002-09-04: Henrik Nordstrom <hno@marasystems.com> | |
97 | + | |
98 | + Minor cleanups | |
99 | + | |
100 | + Version 2.2 | |
101 | + | |
102 | + 2002-09-04: Henrik Nordstrom <hno@marasystems.com> | |
103 | + | |
104 | + Merged changes from squid_ldap_auth.c | |
105 | + - TLS support (Michael Cunningham) | |
106 | + - -p option to specify port | |
107 | + | |
108 | + Documented the % codes to use in -f | |
109 | + | |
110 | + Version 2.1 | |
111 | + | |
112 | + 2002-08-21: Henrik Nordstrom <hno@marasystems.com> | |
113 | + | |
114 | + Support groups or usernames having spaces | |
115 | + | |
116 | + Version 2.0 | |
117 | + | |
118 | + 2002-01-22: Henrik Nordstrom <hno@marasystems.com> | |
119 | + | |
120 | + Added optional third query argument for search RDN | |
121 | + | |
122 | + 2002-01-22: Henrik Nordstrom <hno@marasystems.com> | |
123 | + | |
124 | + Removed unused options, and fully changed name | |
125 | + to squid_ldap_match. | |
126 | + | |
127 | + Version 1.0 | |
128 | + | |
129 | + 2001-07-17: Flavio Pescuma <flavio@marasystems.com> | |
130 | + | |
131 | + Using the main function from squid_ldap_auth | |
132 | + wrote squid_ldap_match. This program replaces | |
133 | + the %a and %v (ldapfilter.conf) from the filter | |
134 | + template supplied with -f with the two arguments | |
135 | + sent by squid. Returns OK if the ldap_search | |
136 | + using the composed filter succeeds. | |
137 | + | |
138 | + Changes from squid_ldap_auth.c: | |
139 | + | |
140 | + 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com> | |
141 | + | |
142 | + - Added TLS support and partial ldap version 3 support. | |
143 | + | |
144 | + 2001-09-05: Henrik Nordstrom <hno@squid-cache.org> | |
145 | + | |
146 | + - Added ability to specify another default LDAP port to | |
147 | + connect to. Persistent connections moved to -P | |
148 | + | |
149 | + 2001-05-02: Henrik Nordstrom <hno@squid-cache.org> | |
150 | + | |
151 | + - Support newer OpenLDAP 2.x libraries using the | |
152 | + revised Internet Draft API which unfortunately | |
153 | + is not backwards compatible with RFC1823.. | |
154 | + | |
155 | + 2001-04-15: Henrik Nordstrom <hno@squid-cache.org> | |
156 | + | |
157 | + - Added command line option for basedn | |
158 | + | |
159 | + - Added the ability to search for the user DN | |
160 | + | |
161 | + 2001-04-16: Henrik Nordstrom <hno@squid-cache.org> | |
162 | + | |
163 | + - Added -D binddn -w bindpasswd. | |
164 | + | |
165 | + 2001-04-17: Henrik Nordstrom <hno@squid-cache.org> | |
166 | + | |
167 | + - Added -R to disable referrals | |
168 | + | |
169 | + - Added -a to control alias dereferencing | |
170 | + | |
171 | + 2001-04-17: Henrik Nordstrom <hno@squid-cache.org> | |
172 | + | |
173 | + - Added -u, DN username attribute name | |
174 | + | |
175 | + 2001-04-18: Henrik Nordstrom <hno@squid-cache.org> | |
176 | + | |
177 | + - Allow full filter specifications in -f | |
178 | + | |
179 | + -- END -- | |
180 | Index: squid/helpers/external_acl/ldap_group/README | |
181 | diff -c /dev/null squid/helpers/external_acl/ldap_group/README:1.1.2.1 | |
182 | *** /dev/null Fri Nov 21 10:14:59 2003 | |
183 | --- squid/helpers/external_acl/ldap_group/README Wed Nov 19 17:41:37 2003 | |
184 | *************** | |
185 | *** 0 **** | |
186 | --- 1,10 ---- | |
187 | + This program is a LDAP group helper for Squid. | |
188 | + | |
189 | + See the included manpage for documentation. | |
190 | + | |
191 | + nroff -man squid_ldap_group.8 | less | |
192 | + | |
193 | + See INSTALL for installation instructions | |
194 | + | |
195 | + The latest version of this program can always be found from | |
196 | + MARA Systems at http://marasystems.com/download/LDAP_Group/ | |
197 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8 | |
198 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 | |
199 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 Wed Nov 27 16:42:22 2002 | |
200 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Wed Nov 19 17:41:37 2003 | |
201 | *************** | |
202 | *** 1,17 **** | |
203 | ! .TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match" | |
204 | . | |
205 | .SH NAME | |
206 | squid_ldap_group - Squid LDAP external acl group helper | |
207 | . | |
208 | .SH SYNOPSIS | |
209 | ! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...] | |
210 | . | |
211 | .SH DESCRIPTION | |
212 | This helper allows Squid to connect to a LDAP directory to | |
213 | authorize users via LDAP groups. | |
214 | .P | |
215 | The program operates by searching with a search filter based | |
216 | ! on the users login name and requested group, and if a match | |
217 | is found it is determined that the user belongs to the group. | |
218 | . | |
219 | .TP | |
220 | --- 1,17 ---- | |
221 | ! .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Group" | |
222 | . | |
223 | .SH NAME | |
224 | squid_ldap_group - Squid LDAP external acl group helper | |
225 | . | |
226 | .SH SYNOPSIS | |
227 | ! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI] | |
228 | . | |
229 | .SH DESCRIPTION | |
230 | This helper allows Squid to connect to a LDAP directory to | |
231 | authorize users via LDAP groups. | |
232 | .P | |
233 | The program operates by searching with a search filter based | |
234 | ! on the users user name and requested group, and if a match | |
235 | is found it is determined that the user belongs to the group. | |
236 | . | |
237 | .TP | |
238 | *************** | |
239 | *** 25,31 **** | |
240 | .TP | |
241 | .B "-g" | |
242 | Specifies that the first query argument sent to the helper by Squid is | |
243 | ! a extension to the basedn and will be temporarily added infront of the | |
244 | global basedn for this query. | |
245 | . | |
246 | .TP | |
247 | --- 25,31 ---- | |
248 | .TP | |
249 | .B "-g" | |
250 | Specifies that the first query argument sent to the helper by Squid is | |
251 | ! a extension to the basedn and will be temporarily added in front of the | |
252 | global basedn for this query. | |
253 | . | |
254 | .TP | |
255 | *************** | |
256 | *** 33,39 **** | |
257 | LDAP search filter used to search the LDAP directory for any | |
258 | matching group memberships. | |
259 | .BR | |
260 | ! In the filter %u will be replaced by the user login name (or DN if | |
261 | the -F or -u options are used) and %g by the requested group name. | |
262 | . | |
263 | .TP | |
264 | --- 33,39 ---- | |
265 | LDAP search filter used to search the LDAP directory for any | |
266 | matching group memberships. | |
267 | .BR | |
268 | ! In the filter %u will be replaced by the user name (or DN if | |
269 | the -F or -u options are used) and %g by the requested group name. | |
270 | . | |
271 | .TP | |
272 | *************** | |
273 | *** 41,53 **** | |
274 | LDAP search filter used to search the LDAP directory for any | |
275 | matching users. | |
276 | .BR | |
277 | ! In the filter %s will be replaced by the user login name. If % is to be | |
278 | included literally in the filter then use %%. | |
279 | . | |
280 | .TP | |
281 | .BI "-u " attr | |
282 | ! LDAP attribute used to construct the user DN from the login name and | |
283 | ! base dn. | |
284 | . | |
285 | .TP | |
286 | .BI "-s " base|one|sub | |
287 | --- 41,53 ---- | |
288 | LDAP search filter used to search the LDAP directory for any | |
289 | matching users. | |
290 | .BR | |
291 | ! In the filter %s will be replaced by the user name. If % is to be | |
292 | included literally in the filter then use %%. | |
293 | . | |
294 | .TP | |
295 | .BI "-u " attr | |
296 | ! LDAP attribute used to construct the user DN from the user name and | |
297 | ! base dn without needing to search for the user. | |
298 | . | |
299 | .TP | |
300 | .BI "-s " base|one|sub | |
301 | *************** | |
302 | *** 72,81 **** | |
303 | extracts the password used from a process listing. | |
304 | . | |
305 | .TP | |
306 | .BI -P | |
307 | Use a persistent LDAP connection. Normally the LDAP connection | |
308 | ! is only open while validating a username to preserve resources | |
309 | ! at the LDAP server. This option causes the LDAP connection to | |
310 | be kept open, allowing it to be reused for further user | |
311 | validations. Recommended for larger installations. | |
312 | . | |
313 | --- 72,91 ---- | |
314 | extracts the password used from a process listing. | |
315 | . | |
316 | .TP | |
317 | + .BI "-D " "binddn " "-W " "secretfile " | |
318 | + The DN and the name of a file containing the password | |
319 | + to bind as while performing searches. | |
320 | + .IP | |
321 | + Less insecure version of the former parameter pair with two advantages: | |
322 | + The password does not occur in the process listing, | |
323 | + and the password is not being compromised if someone gets the squid | |
324 | + configuration file without getting the secretfile. | |
325 | + . | |
326 | + .TP | |
327 | .BI -P | |
328 | Use a persistent LDAP connection. Normally the LDAP connection | |
329 | ! is only open while verifying a users group membership to preserve | |
330 | ! resources at the LDAP server. This option causes the LDAP connection to | |
331 | be kept open, allowing it to be reused for further user | |
332 | validations. Recommended for larger installations. | |
333 | . | |
334 | *************** | |
335 | *** 97,102 **** | |
336 | --- 107,116 ---- | |
337 | the base object | |
338 | . | |
339 | .TP | |
340 | + .BI -H " ldapuri" | |
341 | + Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) | |
342 | + . | |
343 | + .TP | |
344 | .BI -h " ldapserver" | |
345 | Specify the LDAP server to connect to | |
346 | .TP | |
347 | *************** | |
348 | *** 105,112 **** | |
349 | other than the default LDAP port 389. | |
350 | . | |
351 | .TP | |
352 | .BI -S | |
353 | ! Strip NT domain name component from usernames (/ or \\ separated) | |
354 | . | |
355 | .SH SQUID CONFIGURATION | |
356 | . | |
357 | --- 119,142 ---- | |
358 | other than the default LDAP port 389. | |
359 | . | |
360 | .TP | |
361 | + .BI -Z | |
362 | + Use TLS encryption | |
363 | + . | |
364 | + .TP | |
365 | + .BI -E certpath | |
366 | + Enable LDAP over SSL (requires Netscape LDAP API libraries) | |
367 | + . | |
368 | + .TP | |
369 | + .BI -c connect_timeout | |
370 | + Specify timeout used when connecting to LDAP servers (requires | |
371 | + Netscape LDAP API libraries) | |
372 | + .TP | |
373 | + .BI -t search_timeout | |
374 | + Specify time limit on LDAP search operations | |
375 | + . | |
376 | + .TP | |
377 | .BI -S | |
378 | ! Strip NT domain name component from user names (/ or \\ separated) | |
379 | . | |
380 | .SH SQUID CONFIGURATION | |
381 | . | |
382 | *************** | |
383 | *** 117,131 **** | |
384 | .nf | |
385 | external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... | |
386 | .br | |
387 | ! acl group1 ldap_group Group1 | |
388 | .br | |
389 | ! acl group2 ldap_gorup Group2 | |
390 | .fi | |
391 | .ft | |
392 | . | |
393 | .SH NOTES | |
394 | . | |
395 | ! When constructing search filters it is strongly recommended to test the filter | |
396 | using ldapsearch before you attempt to use squid_ldap_group. This to verify | |
397 | that the filter matches what you expect. | |
398 | . | |
399 | --- 147,161 ---- | |
400 | .nf | |
401 | external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... | |
402 | .br | |
403 | ! acl group1 external ldap_group Group1 | |
404 | .br | |
405 | ! acl group2 external ldap_group Group2 | |
406 | .fi | |
407 | .ft | |
408 | . | |
409 | .SH NOTES | |
410 | . | |
411 | ! When constructing search filters it is recommended to first test the filter | |
412 | using ldapsearch before you attempt to use squid_ldap_group. This to verify | |
413 | that the filter matches what you expect. | |
414 | . | |
415 | *************** | |
416 | *** 141,147 **** | |
417 | .I Glen Newton <glen.newton@nrc.ca> | |
418 | . | |
419 | .SH KNOWN LIMITATIONS | |
420 | ! Max 16 occurances of %s in the -u argument is supported. | |
421 | . | |
422 | .SH QUESTIONS | |
423 | Any questions on usage can be sent to | |
424 | --- 171,177 ---- | |
425 | .I Glen Newton <glen.newton@nrc.ca> | |
426 | . | |
427 | .SH KNOWN LIMITATIONS | |
428 | ! Max 16 occurrences of %s in the -u argument is supported. | |
429 | . | |
430 | .SH QUESTIONS | |
431 | Any questions on usage can be sent to | |
432 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c | |
433 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.13 | |
434 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 Sat Jan 11 06:07:08 2003 | |
435 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Fri Nov 21 10:13:58 2003 | |
436 | *************** | |
437 | *** 13,20 **** | |
438 | * Henrik Nordstrom <hno@marasystems.com> | |
439 | * MARA Systems AB, Sweden <http://www.marasystems.com> | |
440 | * | |
441 | ! * With contributions from others mentioned in the change histor section | |
442 | ! * below. | |
443 | * | |
444 | * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom. | |
445 | * | |
446 | --- 13,19 ---- | |
447 | * Henrik Nordstrom <hno@marasystems.com> | |
448 | * MARA Systems AB, Sweden <http://www.marasystems.com> | |
449 | * | |
450 | ! * With contributions from others mentioned in the ChangeLog file | |
451 | * | |
452 | * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom. | |
453 | * | |
454 | *************** | |
455 | *** 32,124 **** | |
456 | * and/or modify it under the terms of the GNU General Public License | |
457 | * as published by the Free Software Foundation; either version 2, | |
458 | * or (at your option) any later version. | |
459 | - * | |
460 | - * History: | |
461 | - * | |
462 | - * Version 2.10 | |
463 | - * 2003-01-07 Jon Kinred | |
464 | - * Fixed user search mode (-F/-u) when -g is not used | |
465 | - * Version 2.9 | |
466 | - * 2003-01-03 Henrik Nordstrom <hno@marasystems.com> | |
467 | - * Fixed missing string termination on ldap_escape_vale, | |
468 | - * and corrected build problem with LDAPv2 libraries | |
469 | - * Version 2.8 | |
470 | - * 2002-11-27 Henrik Nordstrom <hno@marasystems.com> | |
471 | - * Replacement for ldap_build_filter. Also changed | |
472 | - * the % codes to %u (user) and %g (group) which | |
473 | - * is a bit more intuitive. | |
474 | - * 2002-11-21 Gerard Eviston | |
475 | - * Fix ldap_search_s error management. This fixes | |
476 | - * a core dump if there is a LDAP search filter | |
477 | - * syntax error (possibly caused by malformed input). | |
478 | - * Version 2.7 | |
479 | - * 2002-10-22: Henrik Nordstrom <hno@marasystems.com> | |
480 | - * strwordtok bugfix | |
481 | - * Version 2.6 | |
482 | - * 2002-09-21: Gerard Eviston | |
483 | - * -S option to strip NT domain names from | |
484 | - * login names | |
485 | - * Version 2.5 | |
486 | - * 2002-09-09: Henrik Nordstrom <hno@marasystems.com> | |
487 | - * Added support for user DN lookups | |
488 | - * (-u -B -F options) | |
489 | - * Version 2.4 | |
490 | - * 2002-09-06: Henrik Nordstrom <hno@marasystems.com> | |
491 | - * Many bugfixes in connection management | |
492 | - * -g option added, and added support | |
493 | - * for multiple groups. Prior versions | |
494 | - * only supported one group and an optional | |
495 | - * group base RDN | |
496 | - * Version 2.3 | |
497 | - * 2002-09-04: Henrik Nordstrom <hno@marasystems.com> | |
498 | - * Minor cleanups | |
499 | - * Version 2.2 | |
500 | - * 2002-09-04: Henrik Nordstrom <hno@marasystems.com> | |
501 | - * Merged changes from squid_ldap_auth.c | |
502 | - * - TLS support (Michael Cunningham) | |
503 | - * - -p option to specify port | |
504 | - * Documented the % codes to use in -f | |
505 | - * Version 2.1 | |
506 | - * 2002-08-21: Henrik Nordstrom <hno@marasystems.com> | |
507 | - * Support groups or usernames having spaces | |
508 | - * Version 2.0 | |
509 | - * 2002-01-22: Henrik Nordstrom <hno@marasystems.com> | |
510 | - * Added optional third query argument for search RDN | |
511 | - * 2002-01-22: Henrik Nordstrom <hno@marasystems.com> | |
512 | - * Removed unused options, and fully changed name | |
513 | - * to squid_ldap_group. | |
514 | - * Version 1.0 | |
515 | - * 2001-07-17: Flavio Pescuma <flavio@marasystems.com> | |
516 | - * Using the main function from squid_ldap_auth | |
517 | - * wrote squid_ldap_group. This program replaces | |
518 | - * the %a and %v (ldapfilter.conf) from the filter | |
519 | - * template supplied with -f with the two arguments | |
520 | - * sent by squid. Returns OK if the ldap_search | |
521 | - * using the composed filter succeeds. | |
522 | - * | |
523 | - * Changes from squid_ldap_auth.c: | |
524 | - * | |
525 | - * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com> | |
526 | - * - Added TLS support and partial ldap version 3 support. | |
527 | - * 2001-09-05: Henrik Nordstrom <hno@squid-cache.org> | |
528 | - * - Added ability to specify another default LDAP port to | |
529 | - * connect to. Persistent connections moved to -P | |
530 | - * 2001-05-02: Henrik Nordstrom <hno@squid-cache.org> | |
531 | - * - Support newer OpenLDAP 2.x libraries using the | |
532 | - * revised Internet Draft API which unfortunately | |
533 | - * is not backwards compatible with RFC1823.. | |
534 | - * 2001-04-15: Henrik Nordstrom <hno@squid-cache.org> | |
535 | - * - Added command line option for basedn | |
536 | - * - Added the ability to search for the user DN | |
537 | - * 2001-04-16: Henrik Nordstrom <hno@squid-cache.org> | |
538 | - * - Added -D binddn -w bindpasswd. | |
539 | - * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org> | |
540 | - * - Added -R to disable referrals | |
541 | - * - Added -a to control alias dereferencing | |
542 | - * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org> | |
543 | - * - Added -u, DN username attribute name | |
544 | - * 2001-04-18: Henrik Nordstrom <hno@squid-cache.org> | |
545 | - * - Allow full filter specifications in -f | |
546 | */ | |
547 | ||
548 | #include <stdio.h> | |
549 | --- 31,36 ---- | |
550 | *************** | |
551 | *** 126,133 **** | |
552 | #include <stdlib.h> | |
553 | #include <ctype.h> | |
554 | #include <lber.h> | |
555 | - #include <ldap_cdefs.h> | |
556 | #include <ldap.h> | |
557 | ||
558 | #define PROGRAM_NAME "squid_ldap_group" | |
559 | ||
560 | --- 38,47 ---- | |
561 | #include <stdlib.h> | |
562 | #include <ctype.h> | |
563 | #include <lber.h> | |
564 | #include <ldap.h> | |
565 | + #if defined(LDAP_OPT_NETWORK_TIMEOUT) | |
566 | + #include <sys/time.h> | |
567 | + #endif | |
568 | ||
569 | #define PROGRAM_NAME "squid_ldap_group" | |
570 | ||
571 | *************** | |
572 | *** 145,150 **** | |
573 | --- 59,70 ---- | |
574 | static int noreferrals = 0; | |
575 | static int debug = 0; | |
576 | static int aliasderef = LDAP_DEREF_NEVER; | |
577 | + #if defined(NETSCAPE_SSL) | |
578 | + static char *sslpath = NULL; | |
579 | + static int sslinit = 0; | |
580 | + #endif | |
581 | + static int connect_timeout = 0; | |
582 | + static int timelimit = LDAP_NO_LIMIT; | |
583 | ||
584 | #ifdef LDAP_VERSION3 | |
585 | /* Added for TLS support and version 3 */ | |
586 | *************** | |
587 | *** 154,159 **** | |
588 | --- 74,81 ---- | |
589 | ||
590 | static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn); | |
591 | ||
592 | + static int readSecret(char *filename); | |
593 | + | |
594 | /* Yuck.. we need to glue to different versions of the API */ | |
595 | ||
596 | #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823 | |
597 | *************** | |
598 | *** 175,180 **** | |
599 | --- 97,120 ---- | |
600 | int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; | |
601 | ldap_set_option(ld, LDAP_OPT_REFERRALS, value); | |
602 | } | |
603 | + static void | |
604 | + squid_ldap_set_timelimit(LDAP *ld, int timelimit) | |
605 | + { | |
606 | + ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); | |
607 | + } | |
608 | + static void | |
609 | + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) | |
610 | + { | |
611 | + #if defined(LDAP_OPT_NETWORK_TIMEOUT) | |
612 | + struct timeval tv; | |
613 | + tv.tv_sec = timelimit; | |
614 | + tv.tv_usec = 0; | |
615 | + ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); | |
616 | + #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT) | |
617 | + timelimit *= 1000; | |
618 | + ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit); | |
619 | + #endif | |
620 | + } | |
621 | static void | |
622 | squid_ldap_memfree(char *p) | |
623 | { | |
624 | *************** | |
625 | *** 199,204 **** | |
626 | --- 139,154 ---- | |
627 | else | |
628 | ld->ld_options &= ~LDAP_OPT_REFERRALS; | |
629 | } | |
630 | + static void | |
631 | + squid_ldap_set_timelimit(LDAP *ld, int timelimit) | |
632 | + { | |
633 | + ld->ld_timelimit = timelimit; | |
634 | + } | |
635 | + static void | |
636 | + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) | |
637 | + { | |
638 | + fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); | |
639 | + } | |
640 | static void | |
641 | squid_ldap_memfree(char *p) | |
642 | { | |
643 | *************** | |
644 | *** 206,211 **** | |
645 | --- 156,167 ---- | |
646 | } | |
647 | #endif | |
648 | ||
649 | + #ifdef LDAP_API_FEATURE_X_OPENLDAP | |
650 | + #if LDAP_VENDOR_VERSION > 194 | |
651 | + #define HAS_URI_SUPPORT 1 | |
652 | + #endif | |
653 | + #endif | |
654 | + | |
655 | static char * | |
656 | strwordtok(char *buf, char **t) | |
657 | { | |
658 | *************** | |
659 | *** 290,295 **** | |
660 | --- 246,257 ---- | |
661 | argv++; | |
662 | argc--; | |
663 | switch (option) { | |
664 | + case 'H': | |
665 | + #if !HAS_URI_SUPPORT | |
666 | + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); | |
667 | + exit(1); | |
668 | + #endif | |
669 | + /* Fall thru to -h */ | |
670 | case 'h': | |
671 | if (ldapServer) { | |
672 | int len = strlen(ldapServer) + 1 + strlen(value) + 1; | |
673 | *************** | |
674 | *** 301,307 **** | |
675 | ldapServer = strdup(value); | |
676 | } | |
677 | break; | |
678 | - | |
679 | case 'b': | |
680 | basedn = value; | |
681 | break; | |
682 | --- 263,268 ---- | |
683 | *************** | |
684 | *** 329,334 **** | |
685 | --- 290,311 ---- | |
686 | exit(1); | |
687 | } | |
688 | break; | |
689 | + case 'S': | |
690 | + #if defined(NETSCAPE_SSL) | |
691 | + sslpath = value; | |
692 | + if (port == LDAP_PORT) | |
693 | + port = LDAPS_PORT; | |
694 | + #else | |
695 | + fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n"); | |
696 | + exit(1); | |
697 | + #endif | |
698 | + break; | |
699 | + case 'c': | |
700 | + connect_timeout = atoi(value); | |
701 | + break; | |
702 | + case 't': | |
703 | + timelimit = atoi(value); | |
704 | + break; | |
705 | case 'a': | |
706 | if (strcmp(value, "never") == 0) | |
707 | aliasderef = LDAP_DEREF_NEVER; | |
708 | *************** | |
709 | *** 349,354 **** | |
710 | --- 326,334 ---- | |
711 | case 'w': | |
712 | bindpasswd = value; | |
713 | break; | |
714 | + case 'W': | |
715 | + readSecret (value); | |
716 | + break; | |
717 | case 'P': | |
718 | persistent = !persistent; | |
719 | break; | |
720 | *************** | |
721 | *** 388,394 **** | |
722 | case 'g': | |
723 | use_extension_dn = 1; | |
724 | break; | |
725 | ! case 'S': | |
726 | strip_nt_domain = 1; | |
727 | break; | |
728 | default: | |
729 | --- 368,374 ---- | |
730 | case 'g': | |
731 | use_extension_dn = 1; | |
732 | break; | |
733 | ! case 'E': | |
734 | strip_nt_domain = 1; | |
735 | break; | |
736 | default: | |
737 | *************** | |
738 | *** 424,440 **** | |
739 | fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); | |
740 | fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); | |
741 | fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); | |
742 | fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); | |
743 | fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); | |
744 | fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); | |
745 | fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); | |
746 | fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); | |
747 | ! fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n"); | |
748 | fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); | |
749 | fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); | |
750 | fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); | |
751 | fprintf(stderr, "\n"); | |
752 | ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n"); | |
753 | exit(1); | |
754 | } | |
755 | while (fgets(buf, 256, stdin) != NULL) { | |
756 | --- 404,431 ---- | |
757 | fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); | |
758 | fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); | |
759 | fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); | |
760 | + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n"); | |
761 | + #if HAS_URI_SUPPORT | |
762 | + fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); | |
763 | + #endif | |
764 | fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); | |
765 | fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); | |
766 | fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); | |
767 | + #if defined(NETSCAPE_SSL) | |
768 | + fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n"); | |
769 | + #endif | |
770 | + fprintf(stderr, "\t-c timeout\t\tconnect timeout\n"); | |
771 | + fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n"); | |
772 | fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); | |
773 | fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); | |
774 | ! #ifdef LDAP_VERSION3 | |
775 | ! fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n"); | |
776 | fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); | |
777 | + #endif | |
778 | fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); | |
779 | fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); | |
780 | fprintf(stderr, "\n"); | |
781 | ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); | |
782 | exit(1); | |
783 | } | |
784 | while (fgets(buf, 256, stdin) != NULL) { | |
785 | *************** | |
786 | *** 455,465 **** | |
787 | ||
788 | recover: | |
789 | if (ld == NULL) { | |
790 | if ((ld = ldap_init(ldapServer, port)) == NULL) { | |
791 | ! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", | |
792 | ! ldapServer, port); | |
793 | break; | |
794 | } | |
795 | #ifdef LDAP_VERSION3 | |
796 | if (version == -1) { | |
797 | version = LDAP_VERSION2; | |
798 | --- 446,484 ---- | |
799 | ||
800 | recover: | |
801 | if (ld == NULL) { | |
802 | + #if HAS_URI_SUPPORT | |
803 | + if (strstr(ldapServer, "://") != NULL) { | |
804 | + rc = ldap_initialize( &ld, ldapServer ); | |
805 | + if( rc != LDAP_SUCCESS ) { | |
806 | + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); | |
807 | + break; | |
808 | + } | |
809 | + } else | |
810 | + #endif | |
811 | + #if NETSCAPE_SSL | |
812 | + if (sslpath) { | |
813 | + if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) { | |
814 | + fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n", | |
815 | + sslpath); | |
816 | + exit(1); | |
817 | + } else { | |
818 | + sslinit++; | |
819 | + } | |
820 | + if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) { | |
821 | + fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n", | |
822 | + ldapServer, port); | |
823 | + exit(1); | |
824 | + } | |
825 | + } else | |
826 | + #endif | |
827 | if ((ld = ldap_init(ldapServer, port)) == NULL) { | |
828 | ! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port); | |
829 | break; | |
830 | } | |
831 | + | |
832 | + if (connect_timeout) | |
833 | + squid_ldap_set_connect_timeout(ld, connect_timeout); | |
834 | + | |
835 | #ifdef LDAP_VERSION3 | |
836 | if (version == -1) { | |
837 | version = LDAP_VERSION2; | |
838 | *************** | |
839 | *** 479,484 **** | |
840 | --- 498,504 ---- | |
841 | break; | |
842 | } | |
843 | #endif | |
844 | + squid_ldap_set_timelimit(ld, timelimit); | |
845 | squid_ldap_set_referrals(ld, !noreferrals); | |
846 | squid_ldap_set_aliasderef(ld, aliasderef); | |
847 | if (binddn && bindpasswd && *binddn && *bindpasswd) { | |
848 | *************** | |
849 | *** 622,628 **** | |
850 | } | |
851 | ||
852 | if (debug) | |
853 | ! fprintf(stderr, "filter %s\n", filter); | |
854 | ||
855 | rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); | |
856 | if (rc != LDAP_SUCCESS) { | |
857 | --- 642,648 ---- | |
858 | } | |
859 | ||
860 | if (debug) | |
861 | ! fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase); | |
862 | ||
863 | rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); | |
864 | if (rc != LDAP_SUCCESS) { | |
865 | *************** | |
866 | *** 632,637 **** | |
867 | --- 652,663 ---- | |
868 | */ | |
869 | } else { | |
870 | fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); | |
871 | + #if defined(NETSCAPE_SSL) | |
872 | + if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { | |
873 | + int sslerr = PORT_GetError(); | |
874 | + fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); | |
875 | + } | |
876 | + #endif | |
877 | ldap_msgfree(res); | |
878 | return 1; | |
879 | } | |
880 | *************** | |
881 | *** 664,670 **** | |
882 | ldap_escape_value(escaped_login, sizeof(escaped_login), login); | |
883 | snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); | |
884 | if (debug) | |
885 | ! fprintf(stderr, "user filter %s\n", filter); | |
886 | rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); | |
887 | if (rc != LDAP_SUCCESS) { | |
888 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
889 | --- 690,696 ---- | |
890 | ldap_escape_value(escaped_login, sizeof(escaped_login), login); | |
891 | snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); | |
892 | if (debug) | |
893 | ! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase); | |
894 | rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); | |
895 | if (rc != LDAP_SUCCESS) { | |
896 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
897 | *************** | |
898 | *** 673,685 **** | |
899 | */ | |
900 | } else { | |
901 | fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); | |
902 | ldap_msgfree(res); | |
903 | return 1; | |
904 | } | |
905 | } | |
906 | entry = ldap_first_entry(ld, res); | |
907 | if (!entry) { | |
908 | ! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter); | |
909 | ldap_msgfree(res); | |
910 | return 1; | |
911 | } | |
912 | --- 699,717 ---- | |
913 | */ | |
914 | } else { | |
915 | fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); | |
916 | + #if defined(NETSCAPE_SSL) | |
917 | + if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { | |
918 | + int sslerr = PORT_GetError(); | |
919 | + fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); | |
920 | + } | |
921 | + #endif | |
922 | ldap_msgfree(res); | |
923 | return 1; | |
924 | } | |
925 | } | |
926 | entry = ldap_first_entry(ld, res); | |
927 | if (!entry) { | |
928 | ! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase); | |
929 | ldap_msgfree(res); | |
930 | return 1; | |
931 | } | |
932 | *************** | |
933 | *** 698,701 **** | |
934 | --- 730,767 ---- | |
935 | } else { | |
936 | return searchLDAPGroup(ld, group, login, extension_dn); | |
937 | } | |
938 | + } | |
939 | + | |
940 | + | |
941 | + int readSecret(char *filename) | |
942 | + { | |
943 | + char buf[BUFSIZ]; | |
944 | + char *e=0; | |
945 | + FILE *f; | |
946 | + | |
947 | + if(!(f=fopen(filename, "r"))) { | |
948 | + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); | |
949 | + return 1; | |
950 | + } | |
951 | + | |
952 | + if( !fgets(buf, sizeof(buf)-1, f)) { | |
953 | + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); | |
954 | + fclose(f); | |
955 | + return 1; | |
956 | + } | |
957 | + | |
958 | + /* strip whitespaces on end */ | |
959 | + if((e = strrchr(buf, '\n'))) *e = 0; | |
960 | + if((e = strrchr(buf, '\r'))) *e = 0; | |
961 | + | |
962 | + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1); | |
963 | + if (bindpasswd) { | |
964 | + strcpy(bindpasswd, buf); | |
965 | + } else { | |
966 | + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); | |
967 | + } | |
968 | + | |
969 | + fclose(f); | |
970 | + | |
971 | + return 0; | |
972 | } | |
973 | Index: squid/helpers/external_acl/ldap_group/Makefile.in | |
974 | diff -c squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.6 | |
975 | *** squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 Tue Feb 11 19:02:43 2003 | |
976 | --- squid/helpers/external_acl/ldap_group/Makefile.in Wed Nov 19 17:43:41 2003 | |
977 | *************** | |
978 | *** 155,161 **** | |
979 | ||
980 | NROFF = nroff | |
981 | MANS = $(man_MANS) | |
982 | ! DIST_COMMON = Makefile.am Makefile.in | |
983 | SOURCES = $(squid_ldap_group_SOURCES) | |
984 | ||
985 | all: all-am | |
986 | --- 155,161 ---- | |
987 | ||
988 | NROFF = nroff | |
989 | MANS = $(man_MANS) | |
990 | ! DIST_COMMON = README ChangeLog Makefile.am Makefile.in | |
991 | SOURCES = $(squid_ldap_group_SOURCES) | |
992 | ||
993 | all: all-am |