Index: squid/helpers/external_acl/ldap_group/ChangeLog diff -c /dev/null squid/helpers/external_acl/ldap_group/ChangeLog:1.1.2.1 *** /dev/null Fri Nov 21 10:14:58 2003 --- squid/helpers/external_acl/ldap_group/ChangeLog Wed Nov 19 17:41:37 2003 *************** *** 0 **** --- 1,172 ---- + Version 2.12 + + 2003-03-01 Christoph Lechleitner + Added -W option to read bindpasswd from file, + e.g. from /etc/ldap.secret + + 2003-03-01 Juerg Michel + + Added support for ldap URI via the -H option + + Version 2.11 + + 2003-01-31 Henrik Nordstrom + + Packaged as a distribution, with Makefile, README + and INSTALL + + Corrected the squid.conf examples in the manpage and + some spelling in the same + + Separated the changelog/history to a separate + ChangeLog file (this file) + + 2003-01-27 Henrik Nordstrom + + Cleaned up error messages shown when a nonexisting + user tries to log in + + Version 2.10 + + 2003-01-07 Jon Kinred + + Fixed user search mode (-F/-u) when -g is not used + + Version 2.9 + + 2003-01-03 Henrik Nordstrom + + Fixed missing string termination on ldap_escape_vale, + and corrected build problem with LDAPv2 libraries + + Version 2.8 + + 2002-11-27 Henrik Nordstrom + + Replacement for ldap_build_filter. Also changed + the % codes to %u (user) and %g (group) which + is a bit more intuitive. + + 2002-11-21 Gerard Eviston + + Fix ldap_search_s error management. This fixes + a core dump if there is a LDAP search filter + syntax error (possibly caused by malformed input). + + Version 2.7 + + 2002-10-22: Henrik Nordstrom + + strwordtok bugfix + + Version 2.6 + + 2002-09-21: Gerard Eviston + + -S option to strip NT domain names from + login names + + Version 2.5 + + 2002-09-09: Henrik Nordstrom + + Added support for user DN lookups + (-u -B -F options) + + Version 2.4 + + 2002-09-06: Henrik Nordstrom + + Many bugfixes in connection management + + -g option added, and added support + for multiple groups. Prior versions + only supported one group and an optional + group base RDN + + Version 2.3 + + 2002-09-04: Henrik Nordstrom + + Minor cleanups + + Version 2.2 + + 2002-09-04: Henrik Nordstrom + + Merged changes from squid_ldap_auth.c + - TLS support (Michael Cunningham) + - -p option to specify port + + Documented the % codes to use in -f + + Version 2.1 + + 2002-08-21: Henrik Nordstrom + + Support groups or usernames having spaces + + Version 2.0 + + 2002-01-22: Henrik Nordstrom + + Added optional third query argument for search RDN + + 2002-01-22: Henrik Nordstrom + + Removed unused options, and fully changed name + to squid_ldap_match. + + Version 1.0 + + 2001-07-17: Flavio Pescuma + + Using the main function from squid_ldap_auth + wrote squid_ldap_match. This program replaces + the %a and %v (ldapfilter.conf) from the filter + template supplied with -f with the two arguments + sent by squid. Returns OK if the ldap_search + using the composed filter succeeds. + + Changes from squid_ldap_auth.c: + + 2001-12-12: Michael Cunningham + + - Added TLS support and partial ldap version 3 support. + + 2001-09-05: Henrik Nordstrom + + - Added ability to specify another default LDAP port to + connect to. Persistent connections moved to -P + + 2001-05-02: Henrik Nordstrom + + - Support newer OpenLDAP 2.x libraries using the + revised Internet Draft API which unfortunately + is not backwards compatible with RFC1823.. + + 2001-04-15: Henrik Nordstrom + + - Added command line option for basedn + + - Added the ability to search for the user DN + + 2001-04-16: Henrik Nordstrom + + - Added -D binddn -w bindpasswd. + + 2001-04-17: Henrik Nordstrom + + - Added -R to disable referrals + + - Added -a to control alias dereferencing + + 2001-04-17: Henrik Nordstrom + + - Added -u, DN username attribute name + + 2001-04-18: Henrik Nordstrom + + - Allow full filter specifications in -f + + -- END -- Index: squid/helpers/external_acl/ldap_group/README diff -c /dev/null squid/helpers/external_acl/ldap_group/README:1.1.2.1 *** /dev/null Fri Nov 21 10:14:59 2003 --- squid/helpers/external_acl/ldap_group/README Wed Nov 19 17:41:37 2003 *************** *** 0 **** --- 1,10 ---- + This program is a LDAP group helper for Squid. + + See the included manpage for documentation. + + nroff -man squid_ldap_group.8 | less + + See INSTALL for installation instructions + + The latest version of this program can always be found from + MARA Systems at http://marasystems.com/download/LDAP_Group/ Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8 diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 *** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 Wed Nov 27 16:42:22 2002 --- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Wed Nov 19 17:41:37 2003 *************** *** 1,17 **** ! .TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match" . .SH NAME squid_ldap_group - Squid LDAP external acl group helper . .SH SYNOPSIS ! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...] . .SH DESCRIPTION This helper allows Squid to connect to a LDAP directory to authorize users via LDAP groups. .P The program operates by searching with a search filter based ! on the users login name and requested group, and if a match is found it is determined that the user belongs to the group. . .TP --- 1,17 ---- ! .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Group" . .SH NAME squid_ldap_group - Squid LDAP external acl group helper . .SH SYNOPSIS ! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI] . .SH DESCRIPTION This helper allows Squid to connect to a LDAP directory to authorize users via LDAP groups. .P The program operates by searching with a search filter based ! on the users user name and requested group, and if a match is found it is determined that the user belongs to the group. . .TP *************** *** 25,31 **** .TP .B "-g" Specifies that the first query argument sent to the helper by Squid is ! a extension to the basedn and will be temporarily added infront of the global basedn for this query. . .TP --- 25,31 ---- .TP .B "-g" Specifies that the first query argument sent to the helper by Squid is ! a extension to the basedn and will be temporarily added in front of the global basedn for this query. . .TP *************** *** 33,39 **** LDAP search filter used to search the LDAP directory for any matching group memberships. .BR ! In the filter %u will be replaced by the user login name (or DN if the -F or -u options are used) and %g by the requested group name. . .TP --- 33,39 ---- LDAP search filter used to search the LDAP directory for any matching group memberships. .BR ! In the filter %u will be replaced by the user name (or DN if the -F or -u options are used) and %g by the requested group name. . .TP *************** *** 41,53 **** LDAP search filter used to search the LDAP directory for any matching users. .BR ! In the filter %s will be replaced by the user login name. If % is to be included literally in the filter then use %%. . .TP .BI "-u " attr ! LDAP attribute used to construct the user DN from the login name and ! base dn. . .TP .BI "-s " base|one|sub --- 41,53 ---- LDAP search filter used to search the LDAP directory for any matching users. .BR ! In the filter %s will be replaced by the user name. If % is to be included literally in the filter then use %%. . .TP .BI "-u " attr ! LDAP attribute used to construct the user DN from the user name and ! base dn without needing to search for the user. . .TP .BI "-s " base|one|sub *************** *** 72,81 **** extracts the password used from a process listing. . .TP .BI -P Use a persistent LDAP connection. Normally the LDAP connection ! is only open while validating a username to preserve resources ! at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations. Recommended for larger installations. . --- 72,91 ---- extracts the password used from a process listing. . .TP + .BI "-D " "binddn " "-W " "secretfile " + The DN and the name of a file containing the password + to bind as while performing searches. + .IP + Less insecure version of the former parameter pair with two advantages: + The password does not occur in the process listing, + and the password is not being compromised if someone gets the squid + configuration file without getting the secretfile. + . + .TP .BI -P Use a persistent LDAP connection. Normally the LDAP connection ! is only open while verifying a users group membership to preserve ! resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations. Recommended for larger installations. . *************** *** 97,102 **** --- 107,116 ---- the base object . .TP + .BI -H " ldapuri" + Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) + . + .TP .BI -h " ldapserver" Specify the LDAP server to connect to .TP *************** *** 105,112 **** other than the default LDAP port 389. . .TP .BI -S ! Strip NT domain name component from usernames (/ or \\ separated) . .SH SQUID CONFIGURATION . --- 119,142 ---- other than the default LDAP port 389. . .TP + .BI -Z + Use TLS encryption + . + .TP + .BI -E certpath + Enable LDAP over SSL (requires Netscape LDAP API libraries) + . + .TP + .BI -c connect_timeout + Specify timeout used when connecting to LDAP servers (requires + Netscape LDAP API libraries) + .TP + .BI -t search_timeout + Specify time limit on LDAP search operations + . + .TP .BI -S ! Strip NT domain name component from user names (/ or \\ separated) . .SH SQUID CONFIGURATION . *************** *** 117,131 **** .nf external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... .br ! acl group1 ldap_group Group1 .br ! acl group2 ldap_gorup Group2 .fi .ft . .SH NOTES . ! When constructing search filters it is strongly recommended to test the filter using ldapsearch before you attempt to use squid_ldap_group. This to verify that the filter matches what you expect. . --- 147,161 ---- .nf external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... .br ! acl group1 external ldap_group Group1 .br ! acl group2 external ldap_group Group2 .fi .ft . .SH NOTES . ! When constructing search filters it is recommended to first test the filter using ldapsearch before you attempt to use squid_ldap_group. This to verify that the filter matches what you expect. . *************** *** 141,147 **** .I Glen Newton . .SH KNOWN LIMITATIONS ! Max 16 occurances of %s in the -u argument is supported. . .SH QUESTIONS Any questions on usage can be sent to --- 171,177 ---- .I Glen Newton . .SH KNOWN LIMITATIONS ! Max 16 occurrences of %s in the -u argument is supported. . .SH QUESTIONS Any questions on usage can be sent to Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.13 *** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 Sat Jan 11 06:07:08 2003 --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Fri Nov 21 10:13:58 2003 *************** *** 13,20 **** * Henrik Nordstrom * MARA Systems AB, Sweden * ! * With contributions from others mentioned in the change histor section ! * below. * * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom. * --- 13,19 ---- * Henrik Nordstrom * MARA Systems AB, Sweden * ! * With contributions from others mentioned in the ChangeLog file * * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom. * *************** *** 32,124 **** * and/or modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2, * or (at your option) any later version. - * - * History: - * - * Version 2.10 - * 2003-01-07 Jon Kinred - * Fixed user search mode (-F/-u) when -g is not used - * Version 2.9 - * 2003-01-03 Henrik Nordstrom - * Fixed missing string termination on ldap_escape_vale, - * and corrected build problem with LDAPv2 libraries - * Version 2.8 - * 2002-11-27 Henrik Nordstrom - * Replacement for ldap_build_filter. Also changed - * the % codes to %u (user) and %g (group) which - * is a bit more intuitive. - * 2002-11-21 Gerard Eviston - * Fix ldap_search_s error management. This fixes - * a core dump if there is a LDAP search filter - * syntax error (possibly caused by malformed input). - * Version 2.7 - * 2002-10-22: Henrik Nordstrom - * strwordtok bugfix - * Version 2.6 - * 2002-09-21: Gerard Eviston - * -S option to strip NT domain names from - * login names - * Version 2.5 - * 2002-09-09: Henrik Nordstrom - * Added support for user DN lookups - * (-u -B -F options) - * Version 2.4 - * 2002-09-06: Henrik Nordstrom - * Many bugfixes in connection management - * -g option added, and added support - * for multiple groups. Prior versions - * only supported one group and an optional - * group base RDN - * Version 2.3 - * 2002-09-04: Henrik Nordstrom - * Minor cleanups - * Version 2.2 - * 2002-09-04: Henrik Nordstrom - * Merged changes from squid_ldap_auth.c - * - TLS support (Michael Cunningham) - * - -p option to specify port - * Documented the % codes to use in -f - * Version 2.1 - * 2002-08-21: Henrik Nordstrom - * Support groups or usernames having spaces - * Version 2.0 - * 2002-01-22: Henrik Nordstrom - * Added optional third query argument for search RDN - * 2002-01-22: Henrik Nordstrom - * Removed unused options, and fully changed name - * to squid_ldap_group. - * Version 1.0 - * 2001-07-17: Flavio Pescuma - * Using the main function from squid_ldap_auth - * wrote squid_ldap_group. This program replaces - * the %a and %v (ldapfilter.conf) from the filter - * template supplied with -f with the two arguments - * sent by squid. Returns OK if the ldap_search - * using the composed filter succeeds. - * - * Changes from squid_ldap_auth.c: - * - * 2001-12-12: Michael Cunningham - * - Added TLS support and partial ldap version 3 support. - * 2001-09-05: Henrik Nordstrom - * - Added ability to specify another default LDAP port to - * connect to. Persistent connections moved to -P - * 2001-05-02: Henrik Nordstrom - * - Support newer OpenLDAP 2.x libraries using the - * revised Internet Draft API which unfortunately - * is not backwards compatible with RFC1823.. - * 2001-04-15: Henrik Nordstrom - * - Added command line option for basedn - * - Added the ability to search for the user DN - * 2001-04-16: Henrik Nordstrom - * - Added -D binddn -w bindpasswd. - * 2001-04-17: Henrik Nordstrom - * - Added -R to disable referrals - * - Added -a to control alias dereferencing - * 2001-04-17: Henrik Nordstrom - * - Added -u, DN username attribute name - * 2001-04-18: Henrik Nordstrom - * - Allow full filter specifications in -f */ #include --- 31,36 ---- *************** *** 126,133 **** #include #include #include - #include #include #define PROGRAM_NAME "squid_ldap_group" --- 38,47 ---- #include #include #include #include + #if defined(LDAP_OPT_NETWORK_TIMEOUT) + #include + #endif #define PROGRAM_NAME "squid_ldap_group" *************** *** 145,150 **** --- 59,70 ---- static int noreferrals = 0; static int debug = 0; static int aliasderef = LDAP_DEREF_NEVER; + #if defined(NETSCAPE_SSL) + static char *sslpath = NULL; + static int sslinit = 0; + #endif + static int connect_timeout = 0; + static int timelimit = LDAP_NO_LIMIT; #ifdef LDAP_VERSION3 /* Added for TLS support and version 3 */ *************** *** 154,159 **** --- 74,81 ---- static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn); + static int readSecret(char *filename); + /* Yuck.. we need to glue to different versions of the API */ #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823 *************** *** 175,180 **** --- 97,120 ---- int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; ldap_set_option(ld, LDAP_OPT_REFERRALS, value); } + static void + squid_ldap_set_timelimit(LDAP *ld, int timelimit) + { + ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); + } + static void + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) + { + #if defined(LDAP_OPT_NETWORK_TIMEOUT) + struct timeval tv; + tv.tv_sec = timelimit; + tv.tv_usec = 0; + ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); + #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT) + timelimit *= 1000; + ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit); + #endif + } static void squid_ldap_memfree(char *p) { *************** *** 199,204 **** --- 139,154 ---- else ld->ld_options &= ~LDAP_OPT_REFERRALS; } + static void + squid_ldap_set_timelimit(LDAP *ld, int timelimit) + { + ld->ld_timelimit = timelimit; + } + static void + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit) + { + fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); + } static void squid_ldap_memfree(char *p) { *************** *** 206,211 **** --- 156,167 ---- } #endif + #ifdef LDAP_API_FEATURE_X_OPENLDAP + #if LDAP_VENDOR_VERSION > 194 + #define HAS_URI_SUPPORT 1 + #endif + #endif + static char * strwordtok(char *buf, char **t) { *************** *** 290,295 **** --- 246,257 ---- argv++; argc--; switch (option) { + case 'H': + #if !HAS_URI_SUPPORT + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); + exit(1); + #endif + /* Fall thru to -h */ case 'h': if (ldapServer) { int len = strlen(ldapServer) + 1 + strlen(value) + 1; *************** *** 301,307 **** ldapServer = strdup(value); } break; - case 'b': basedn = value; break; --- 263,268 ---- *************** *** 329,334 **** --- 290,311 ---- exit(1); } break; + case 'S': + #if defined(NETSCAPE_SSL) + sslpath = value; + if (port == LDAP_PORT) + port = LDAPS_PORT; + #else + fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n"); + exit(1); + #endif + break; + case 'c': + connect_timeout = atoi(value); + break; + case 't': + timelimit = atoi(value); + break; case 'a': if (strcmp(value, "never") == 0) aliasderef = LDAP_DEREF_NEVER; *************** *** 349,354 **** --- 326,334 ---- case 'w': bindpasswd = value; break; + case 'W': + readSecret (value); + break; case 'P': persistent = !persistent; break; *************** *** 388,394 **** case 'g': use_extension_dn = 1; break; ! case 'S': strip_nt_domain = 1; break; default: --- 368,374 ---- case 'g': use_extension_dn = 1; break; ! case 'E': strip_nt_domain = 1; break; default: *************** *** 424,440 **** fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); ! fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n"); fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); fprintf(stderr, "\n"); ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n"); exit(1); } while (fgets(buf, 256, stdin) != NULL) { --- 404,431 ---- fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n"); + #if HAS_URI_SUPPORT + fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); + #endif fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); + #if defined(NETSCAPE_SSL) + fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n"); + #endif + fprintf(stderr, "\t-c timeout\t\tconnect timeout\n"); + fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n"); fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); ! #ifdef LDAP_VERSION3 ! fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n"); fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); + #endif fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); fprintf(stderr, "\n"); ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); exit(1); } while (fgets(buf, 256, stdin) != NULL) { *************** *** 455,465 **** recover: if (ld == NULL) { if ((ld = ldap_init(ldapServer, port)) == NULL) { ! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ! ldapServer, port); break; } #ifdef LDAP_VERSION3 if (version == -1) { version = LDAP_VERSION2; --- 446,484 ---- recover: if (ld == NULL) { + #if HAS_URI_SUPPORT + if (strstr(ldapServer, "://") != NULL) { + rc = ldap_initialize( &ld, ldapServer ); + if( rc != LDAP_SUCCESS ) { + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); + break; + } + } else + #endif + #if NETSCAPE_SSL + if (sslpath) { + if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) { + fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n", + sslpath); + exit(1); + } else { + sslinit++; + } + if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) { + fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n", + ldapServer, port); + exit(1); + } + } else + #endif if ((ld = ldap_init(ldapServer, port)) == NULL) { ! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port); break; } + + if (connect_timeout) + squid_ldap_set_connect_timeout(ld, connect_timeout); + #ifdef LDAP_VERSION3 if (version == -1) { version = LDAP_VERSION2; *************** *** 479,484 **** --- 498,504 ---- break; } #endif + squid_ldap_set_timelimit(ld, timelimit); squid_ldap_set_referrals(ld, !noreferrals); squid_ldap_set_aliasderef(ld, aliasderef); if (binddn && bindpasswd && *binddn && *bindpasswd) { *************** *** 622,628 **** } if (debug) ! fprintf(stderr, "filter %s\n", filter); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { --- 642,648 ---- } if (debug) ! fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { *************** *** 632,637 **** --- 652,663 ---- */ } else { fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); + #if defined(NETSCAPE_SSL) + if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { + int sslerr = PORT_GetError(); + fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); + } + #endif ldap_msgfree(res); return 1; } *************** *** 664,670 **** ldap_escape_value(escaped_login, sizeof(escaped_login), login); snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); if (debug) ! fprintf(stderr, "user filter %s\n", filter); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { --- 690,696 ---- ldap_escape_value(escaped_login, sizeof(escaped_login), login); snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); if (debug) ! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { *************** *** 673,685 **** */ } else { fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); ldap_msgfree(res); return 1; } } entry = ldap_first_entry(ld, res); if (!entry) { ! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter); ldap_msgfree(res); return 1; } --- 699,717 ---- */ } else { fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); + #if defined(NETSCAPE_SSL) + if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { + int sslerr = PORT_GetError(); + fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); + } + #endif ldap_msgfree(res); return 1; } } entry = ldap_first_entry(ld, res); if (!entry) { ! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase); ldap_msgfree(res); return 1; } *************** *** 698,701 **** --- 730,767 ---- } else { return searchLDAPGroup(ld, group, login, extension_dn); } + } + + + int readSecret(char *filename) + { + char buf[BUFSIZ]; + char *e=0; + FILE *f; + + if(!(f=fopen(filename, "r"))) { + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); + return 1; + } + + if( !fgets(buf, sizeof(buf)-1, f)) { + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); + fclose(f); + return 1; + } + + /* strip whitespaces on end */ + if((e = strrchr(buf, '\n'))) *e = 0; + if((e = strrchr(buf, '\r'))) *e = 0; + + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1); + if (bindpasswd) { + strcpy(bindpasswd, buf); + } else { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + } + + fclose(f); + + return 0; } Index: squid/helpers/external_acl/ldap_group/Makefile.in diff -c squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.6 *** squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 Tue Feb 11 19:02:43 2003 --- squid/helpers/external_acl/ldap_group/Makefile.in Wed Nov 19 17:43:41 2003 *************** *** 155,161 **** NROFF = nroff MANS = $(man_MANS) ! DIST_COMMON = Makefile.am Makefile.in SOURCES = $(squid_ldap_group_SOURCES) all: all-am --- 155,161 ---- NROFF = nroff MANS = $(man_MANS) ! DIST_COMMON = README ChangeLog Makefile.am Makefile.in SOURCES = $(squid_ldap_group_SOURCES) all: all-am