Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.5 *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 Wed Feb 18 09:15:52 2004 --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Tue Mar 2 02:13:29 2004 *************** *** 132,137 **** --- 132,143 ---- .BI -t search_timeout Specify time limit on LDAP search operations . + .TP + .BU -d + Debug mode where each step taken will get reported in detail. + Useful for understanding what goes wrong if the results is + not what is expected. + . .SH EXAMPLES For directories using the RFC2307 layout with a single domain, all you need to specify is usually the base DN under where your users Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.10 *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 Mon Jan 5 06:12:11 2004 --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu Mar 4 02:37:38 2004 *************** *** 30,35 **** --- 30,39 ---- * or (at your option) any later version. * * Changes: + * 2004-03-01: Henrik Nordstrom + * - corrected building of search filters to escape + * unsafe input + * - -d option for "debug" like squid_ldap_group * 2004-01-05: Henrik Nordstrom * - Corrected TLS mode * 2003-03-01: David J N Begley *************** *** 95,100 **** --- 99,105 ---- #endif static int connect_timeout = 0; static int timelimit = LDAP_NO_LIMIT; + static int debug = 0; /* Added for TLS support and version 3 */ static int use_tls = 0; *************** *** 208,213 **** --- 213,219 ---- case 'R': case 'z': case 'Z': + case 'd': break; default: if (strlen(argv[1]) > 2) { *************** *** 333,338 **** --- 339,347 ---- use_tls = 1; break; #endif + case 'd': + debug++; + break; default: fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option); exit(1); *************** *** 478,483 **** --- 487,520 ---- } static int + ldap_escape_value(char *escaped, int size, const char *src) + { + int n = 0; + while (size > 4 && *src) { + switch(*src) { + case '*': + case '(': + case ')': + case '\\': + n += 3; + size -= 3; + if (size > 0) { + *escaped++ = '\\'; + snprintf(escaped, 3, "%02x", (unsigned char)*src++); + escaped+=2; + } + break; + default: + *escaped++ = *src++; + n++; + size--; + } + } + *escaped = '\0'; + return n; + } + + static int checkLDAP(LDAP * ld, const char *userid, const char *password) { char dn[256]; *************** *** 490,495 **** --- 527,533 ---- } if (searchfilter) { char filter[256]; + char escaped_login[256]; LDAPMessage *res = NULL; LDAPMessage *entry; char *searchattr[] = *************** *** 497,502 **** --- 535,541 ---- char *userdn; int rc; + ldap_escape_value(escaped_login, sizeof(escaped_login), userid); if (binddn) { rc = ldap_simple_bind_s(ld, binddn, bindpasswd); if (rc != LDAP_SUCCESS) { *************** *** 504,510 **** return 1; } } ! snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid); rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { --- 543,551 ---- return 1; } } ! snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); ! if (debug) ! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { *************** *** 541,546 **** --- 582,589 ---- snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); } + if (debug) + fprintf(stderr, "attempting to bind to user '%s'\n", dn); if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) return 1; Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8 diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.4 *** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 Wed Nov 19 17:41:37 2003 --- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Tue Mar 2 02:13:29 2004 *************** *** 138,143 **** --- 138,149 ---- .BI -S Strip NT domain name component from user names (/ or \\ separated) . + .TP + .BU -d + Debug mode where each step taken will get reported in detail. + Useful for understanding what goes wrong if the results is + not what is expected. + .SH SQUID CONFIGURATION . This helper is intended to be used as a external_acl_type helper from Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.17 *** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 Mon Feb 9 10:04:56 2004 --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Tue Mar 2 02:13:29 2004 *************** *** 229,234 **** --- 229,235 ---- case 'R': case 'z': case 'Z': + case 'd': case 'g': case 'S': break; *************** *** 558,564 **** size -= 3; if (size > 0) { *escaped++ = '\\'; ! snprintf(escaped, 3, "%02x", (int)*src++); escaped+=2; } break; --- 559,565 ---- size -= 3; if (size > 0) { *escaped++ = '\\'; ! snprintf(escaped, 3, "%02x", (unsigned char)*src++); escaped+=2; } break;