]> git.pld-linux.org Git - packages/squid.git/blame - squid-2.5.STABLE4-squid_ldap_group.patch
projects / packages / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- new-style bcond, pl fixes
[packages/squid.git] / squid-2.5.STABLE4-squid_ldap_group.patch
CommitLineData
495e7591
AM		 1Index: squid/helpers/external_acl/ldap_group/ChangeLog
2diff -c /dev/null squid/helpers/external_acl/ldap_group/ChangeLog:1.1.2.1
3*** /dev/null Fri Nov 21 10:14:58 2003
4--- squid/helpers/external_acl/ldap_group/ChangeLog Wed Nov 19 17:41:37 2003
5***************
6*** 0 ****
7--- 1,172 ----
8+ Version 2.12
9+
10+ 2003-03-01 Christoph Lechleitner <lech@ibcl.at>
11+ Added -W option to read bindpasswd from file,
12+ e.g. from /etc/ldap.secret
13+
14+ 2003-03-01 Juerg Michel
15+
16+ Added support for ldap URI via the -H option
17+
18+ Version 2.11
19+
20+ 2003-01-31 Henrik Nordstrom <hno@marasystems.com>
21+
22+ Packaged as a distribution, with Makefile, README
23+ and INSTALL
24+
25+ Corrected the squid.conf examples in the manpage and
26+ some spelling in the same
27+
28+ Separated the changelog/history to a separate
29+ ChangeLog file (this file)
30+
31+ 2003-01-27 Henrik Nordstrom <hno@marasystems.com>
32+
33+ Cleaned up error messages shown when a nonexisting
34+ user tries to log in
35+
36+ Version 2.10
37+
38+ 2003-01-07 Jon Kinred
39+
40+ Fixed user search mode (-F/-u) when -g is not used
41+
42+ Version 2.9
43+
44+ 2003-01-03 Henrik Nordstrom <hno@marasystems.com>
45+
46+ Fixed missing string termination on ldap_escape_vale,
47+ and corrected build problem with LDAPv2 libraries
48+
49+ Version 2.8
50+
51+ 2002-11-27 Henrik Nordstrom <hno@marasystems.com>
52+
53+ Replacement for ldap_build_filter. Also changed
54+ the % codes to %u (user) and %g (group) which
55+ is a bit more intuitive.
56+
57+ 2002-11-21 Gerard Eviston
58+
59+ Fix ldap_search_s error management. This fixes
60+ a core dump if there is a LDAP search filter
61+ syntax error (possibly caused by malformed input).
62+
63+ Version 2.7
64+
65+ 2002-10-22: Henrik Nordstrom <hno@marasystems.com>
66+
67+ strwordtok bugfix
68+
69+ Version 2.6
70+
71+ 2002-09-21: Gerard Eviston
72+
73+ -S option to strip NT domain names from
74+ login names
75+
76+ Version 2.5
77+
78+ 2002-09-09: Henrik Nordstrom <hno@marasystems.com>
79+
80+ Added support for user DN lookups
81+ (-u -B -F options)
82+
83+ Version 2.4
84+
85+ 2002-09-06: Henrik Nordstrom <hno@marasystems.com>
86+
87+ Many bugfixes in connection management
88+
89+ -g option added, and added support
90+ for multiple groups. Prior versions
91+ only supported one group and an optional
92+ group base RDN
93+
94+ Version 2.3
95+
96+ 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
97+
98+ Minor cleanups
99+
100+ Version 2.2
101+
102+ 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
103+
104+ Merged changes from squid_ldap_auth.c
105+ - TLS support (Michael Cunningham)
106+ - -p option to specify port
107+
108+ Documented the % codes to use in -f
109+
110+ Version 2.1
111+
112+ 2002-08-21: Henrik Nordstrom <hno@marasystems.com>
113+
114+ Support groups or usernames having spaces
115+
116+ Version 2.0
117+
118+ 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
119+
120+ Added optional third query argument for search RDN
121+
122+ 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
123+
124+ Removed unused options, and fully changed name
125+ to squid_ldap_match.
126+
127+ Version 1.0
128+
129+ 2001-07-17: Flavio Pescuma <flavio@marasystems.com>
130+
131+ Using the main function from squid_ldap_auth
132+ wrote squid_ldap_match. This program replaces
133+ the %a and %v (ldapfilter.conf) from the filter
134+ template supplied with -f with the two arguments
135+ sent by squid. Returns OK if the ldap_search
136+ using the composed filter succeeds.
137+
138+ Changes from squid_ldap_auth.c:
139+
140+ 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
141+
142+ - Added TLS support and partial ldap version 3 support.
143+
144+ 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
145+
146+ - Added ability to specify another default LDAP port to
147+ connect to. Persistent connections moved to -P
148+
149+ 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
150+
151+ - Support newer OpenLDAP 2.x libraries using the
152+ revised Internet Draft API which unfortunately
153+ is not backwards compatible with RFC1823..
154+
155+ 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
156+
157+ - Added command line option for basedn
158+
159+ - Added the ability to search for the user DN
160+
161+ 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
162+
163+ - Added -D binddn -w bindpasswd.
164+
165+ 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
166+
167+ - Added -R to disable referrals
168+
169+ - Added -a to control alias dereferencing
170+
171+ 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
172+
173+ - Added -u, DN username attribute name
174+
175+ 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
176+
177+ - Allow full filter specifications in -f
178+
179+ -- END --
180Index: squid/helpers/external_acl/ldap_group/README
181diff -c /dev/null squid/helpers/external_acl/ldap_group/README:1.1.2.1
182*** /dev/null Fri Nov 21 10:14:59 2003
183--- squid/helpers/external_acl/ldap_group/README Wed Nov 19 17:41:37 2003
184***************
185*** 0 ****
186--- 1,10 ----
187+ This program is a LDAP group helper for Squid.
188+
189+ See the included manpage for documentation.
190+
191+ nroff -man squid_ldap_group.8 | less
192+
193+ See INSTALL for installation instructions
194+
195+ The latest version of this program can always be found from
196+ MARA Systems at http://marasystems.com/download/LDAP_Group/
197Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8
198diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3
199*** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 Wed Nov 27 16:42:22 2002
200--- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Wed Nov 19 17:41:37 2003
201***************
202*** 1,17 ****
203! .TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match"
204 .
205 .SH NAME
206 squid_ldap_group - Squid LDAP external acl group helper
207 .
208 .SH SYNOPSIS
209! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...]
210 .
211 .SH DESCRIPTION
212 This helper allows Squid to connect to a LDAP directory to
213 authorize users via LDAP groups.
214 .P
215 The program operates by searching with a search filter based
216! on the users login name and requested group, and if a match
217 is found it is determined that the user belongs to the group.
218 .
219 .TP
220--- 1,17 ----
221! .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Group"
222 .
223 .SH NAME
224 squid_ldap_group - Squid LDAP external acl group helper
225 .
226 .SH SYNOPSIS
227! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI]
228 .
229 .SH DESCRIPTION
230 This helper allows Squid to connect to a LDAP directory to
231 authorize users via LDAP groups.
232 .P
233 The program operates by searching with a search filter based
234! on the users user name and requested group, and if a match
235 is found it is determined that the user belongs to the group.
236 .
237 .TP
238***************
239*** 25,31 ****
240 .TP
241 .B "-g"
242 Specifies that the first query argument sent to the helper by Squid is
243! a extension to the basedn and will be temporarily added infront of the
244 global basedn for this query.
245 .
246 .TP
247--- 25,31 ----
248 .TP
249 .B "-g"
250 Specifies that the first query argument sent to the helper by Squid is
251! a extension to the basedn and will be temporarily added in front of the
252 global basedn for this query.
253 .
254 .TP
255***************
256*** 33,39 ****
257 LDAP search filter used to search the LDAP directory for any
258 matching group memberships.
259 .BR
260! In the filter %u will be replaced by the user login name (or DN if
261 the -F or -u options are used) and %g by the requested group name.
262 .
263 .TP
264--- 33,39 ----
265 LDAP search filter used to search the LDAP directory for any
266 matching group memberships.
267 .BR
268! In the filter %u will be replaced by the user name (or DN if
269 the -F or -u options are used) and %g by the requested group name.
270 .
271 .TP
272***************
273*** 41,53 ****
274 LDAP search filter used to search the LDAP directory for any
275 matching users.
276 .BR
277! In the filter %s will be replaced by the user login name. If % is to be
278 included literally in the filter then use %%.
279 .
280 .TP
281 .BI "-u " attr
282! LDAP attribute used to construct the user DN from the login name and
283! base dn.
284 .
285 .TP
286 .BI "-s " base|one|sub
287--- 41,53 ----
288 LDAP search filter used to search the LDAP directory for any
289 matching users.
290 .BR
291! In the filter %s will be replaced by the user name. If % is to be
292 included literally in the filter then use %%.
293 .
294 .TP
295 .BI "-u " attr
296! LDAP attribute used to construct the user DN from the user name and
297! base dn without needing to search for the user.
298 .
299 .TP
300 .BI "-s " base|one|sub
301***************
302*** 72,81 ****
303 extracts the password used from a process listing.
304 .
305 .TP
306 .BI -P
307 Use a persistent LDAP connection. Normally the LDAP connection
308! is only open while validating a username to preserve resources
309! at the LDAP server. This option causes the LDAP connection to
310 be kept open, allowing it to be reused for further user
311 validations. Recommended for larger installations.
312 .
313--- 72,91 ----
314 extracts the password used from a process listing.
315 .
316 .TP
317+ .BI "-D " "binddn " "-W " "secretfile "
318+ The DN and the name of a file containing the password
319+ to bind as while performing searches.
320+ .IP
321+ Less insecure version of the former parameter pair with two advantages:
322+ The password does not occur in the process listing,
323+ and the password is not being compromised if someone gets the squid
324+ configuration file without getting the secretfile.
325+ .
326+ .TP
327 .BI -P
328 Use a persistent LDAP connection. Normally the LDAP connection
329! is only open while verifying a users group membership to preserve
330! resources at the LDAP server. This option causes the LDAP connection to
331 be kept open, allowing it to be reused for further user
332 validations. Recommended for larger installations.
333 .
334***************
335*** 97,102 ****
336--- 107,116 ----
337 the base object
338 .
339 .TP
340+ .BI -H " ldapuri"
341+ Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
342+ .
343+ .TP
344 .BI -h " ldapserver"
345 Specify the LDAP server to connect to
346 .TP
347***************
348*** 105,112 ****
349 other than the default LDAP port 389.
350 .
351 .TP
352 .BI -S
353! Strip NT domain name component from usernames (/ or \\ separated)
354 .
355 .SH SQUID CONFIGURATION
356 .
357--- 119,142 ----
358 other than the default LDAP port 389.
359 .
360 .TP
361+ .BI -Z
362+ Use TLS encryption
363+ .
364+ .TP
365+ .BI -E certpath
366+ Enable LDAP over SSL (requires Netscape LDAP API libraries)
367+ .
368+ .TP
369+ .BI -c connect_timeout
370+ Specify timeout used when connecting to LDAP servers (requires
371+ Netscape LDAP API libraries)
372+ .TP
373+ .BI -t search_timeout
374+ Specify time limit on LDAP search operations
375+ .
376+ .TP
377 .BI -S
378! Strip NT domain name component from user names (/ or \\ separated)
379 .
380 .SH SQUID CONFIGURATION
381 .
382***************
383*** 117,131 ****
384 .nf
385 external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
386 .br
387! acl group1 ldap_group Group1
388 .br
389! acl group2 ldap_gorup Group2
390 .fi
391 .ft
392 .
393 .SH NOTES
394 .
395! When constructing search filters it is strongly recommended to test the filter
396 using ldapsearch before you attempt to use squid_ldap_group. This to verify
397 that the filter matches what you expect.
398 .
399--- 147,161 ----
400 .nf
401 external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
402 .br
403! acl group1 external ldap_group Group1
404 .br
405! acl group2 external ldap_group Group2
406 .fi
407 .ft
408 .
409 .SH NOTES
410 .
411! When constructing search filters it is recommended to first test the filter
412 using ldapsearch before you attempt to use squid_ldap_group. This to verify
413 that the filter matches what you expect.
414 .
415***************
416*** 141,147 ****
417 .I Glen Newton <glen.newton@nrc.ca>
418 .
419 .SH KNOWN LIMITATIONS
420! Max 16 occurances of %s in the -u argument is supported.
421 .
422 .SH QUESTIONS
423 Any questions on usage can be sent to
424--- 171,177 ----
425 .I Glen Newton <glen.newton@nrc.ca>
426 .
427 .SH KNOWN LIMITATIONS
428! Max 16 occurrences of %s in the -u argument is supported.
429 .
430 .SH QUESTIONS
431 Any questions on usage can be sent to
432Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c
433diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.13
434*** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 Sat Jan 11 06:07:08 2003
435--- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Fri Nov 21 10:13:58 2003
436***************
437*** 13,20 ****
438 * Henrik Nordstrom <hno@marasystems.com>
439 * MARA Systems AB, Sweden <http://www.marasystems.com>
440 *
441! * With contributions from others mentioned in the change histor section
442! * below.
443 *
444 * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
445 *
446--- 13,19 ----
447 * Henrik Nordstrom <hno@marasystems.com>
448 * MARA Systems AB, Sweden <http://www.marasystems.com>
449 *
450! * With contributions from others mentioned in the ChangeLog file
451 *
452 * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
453 *
454***************
455*** 32,124 ****
456 * and/or modify it under the terms of the GNU General Public License
457 * as published by the Free Software Foundation; either version 2,
458 * or (at your option) any later version.
459- *
460- * History:
461- *
462- * Version 2.10
463- * 2003-01-07 Jon Kinred
464- * Fixed user search mode (-F/-u) when -g is not used
465- * Version 2.9
466- * 2003-01-03 Henrik Nordstrom <hno@marasystems.com>
467- * Fixed missing string termination on ldap_escape_vale,
468- * and corrected build problem with LDAPv2 libraries
469- * Version 2.8
470- * 2002-11-27 Henrik Nordstrom <hno@marasystems.com>
471- * Replacement for ldap_build_filter. Also changed
472- * the % codes to %u (user) and %g (group) which
473- * is a bit more intuitive.
474- * 2002-11-21 Gerard Eviston
475- * Fix ldap_search_s error management. This fixes
476- * a core dump if there is a LDAP search filter
477- * syntax error (possibly caused by malformed input).
478- * Version 2.7
479- * 2002-10-22: Henrik Nordstrom <hno@marasystems.com>
480- * strwordtok bugfix
481- * Version 2.6
482- * 2002-09-21: Gerard Eviston
483- * -S option to strip NT domain names from
484- * login names
485- * Version 2.5
486- * 2002-09-09: Henrik Nordstrom <hno@marasystems.com>
487- * Added support for user DN lookups
488- * (-u -B -F options)
489- * Version 2.4
490- * 2002-09-06: Henrik Nordstrom <hno@marasystems.com>
491- * Many bugfixes in connection management
492- * -g option added, and added support
493- * for multiple groups. Prior versions
494- * only supported one group and an optional
495- * group base RDN
496- * Version 2.3
497- * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
498- * Minor cleanups
499- * Version 2.2
500- * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
501- * Merged changes from squid_ldap_auth.c
502- * - TLS support (Michael Cunningham)
503- * - -p option to specify port
504- * Documented the % codes to use in -f
505- * Version 2.1
506- * 2002-08-21: Henrik Nordstrom <hno@marasystems.com>
507- * Support groups or usernames having spaces
508- * Version 2.0
509- * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
510- * Added optional third query argument for search RDN
511- * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
512- * Removed unused options, and fully changed name
513- * to squid_ldap_group.
514- * Version 1.0
515- * 2001-07-17: Flavio Pescuma <flavio@marasystems.com>
516- * Using the main function from squid_ldap_auth
517- * wrote squid_ldap_group. This program replaces
518- * the %a and %v (ldapfilter.conf) from the filter
519- * template supplied with -f with the two arguments
520- * sent by squid. Returns OK if the ldap_search
521- * using the composed filter succeeds.
522- *
523- * Changes from squid_ldap_auth.c:
524- *
525- * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
526- * - Added TLS support and partial ldap version 3 support.
527- * 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
528- * - Added ability to specify another default LDAP port to
529- * connect to. Persistent connections moved to -P
530- * 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
531- * - Support newer OpenLDAP 2.x libraries using the
532- * revised Internet Draft API which unfortunately
533- * is not backwards compatible with RFC1823..
534- * 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
535- * - Added command line option for basedn
536- * - Added the ability to search for the user DN
537- * 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
538- * - Added -D binddn -w bindpasswd.
539- * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
540- * - Added -R to disable referrals
541- * - Added -a to control alias dereferencing
542- * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
543- * - Added -u, DN username attribute name
544- * 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
545- * - Allow full filter specifications in -f
546 */
547
548 #include <stdio.h>
549--- 31,36 ----
550***************
551*** 126,133 ****
552 #include <stdlib.h>
553 #include <ctype.h>
554 #include <lber.h>
555- #include <ldap_cdefs.h>
556 #include <ldap.h>
557
558 #define PROGRAM_NAME "squid_ldap_group"
559
560--- 38,47 ----
561 #include <stdlib.h>
562 #include <ctype.h>
563 #include <lber.h>
564 #include <ldap.h>
565+ #if defined(LDAP_OPT_NETWORK_TIMEOUT)
566+ #include <sys/time.h>
567+ #endif
568
569 #define PROGRAM_NAME "squid_ldap_group"
570
571***************
572*** 145,150 ****
573--- 59,70 ----
574 static int noreferrals = 0;
575 static int debug = 0;
576 static int aliasderef = LDAP_DEREF_NEVER;
577+ #if defined(NETSCAPE_SSL)
578+ static char *sslpath = NULL;
579+ static int sslinit = 0;
580+ #endif
581+ static int connect_timeout = 0;
582+ static int timelimit = LDAP_NO_LIMIT;
583
584 #ifdef LDAP_VERSION3
585 /* Added for TLS support and version 3 */
586***************
587*** 154,159 ****
588--- 74,81 ----
589
590 static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn);
591
592+ static int readSecret(char *filename);
593+
594 /* Yuck.. we need to glue to different versions of the API */
595
596 #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
597***************
598*** 175,180 ****
599--- 97,120 ----
600 int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
601 ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
602 }
603+ static void
604+ squid_ldap_set_timelimit(LDAP *ld, int timelimit)
605+ {
606+ ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
607+ }
608+ static void
609+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
610+ {
611+ #if defined(LDAP_OPT_NETWORK_TIMEOUT)
612+ struct timeval tv;
613+ tv.tv_sec = timelimit;
614+ tv.tv_usec = 0;
615+ ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
616+ #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
617+ timelimit *= 1000;
618+ ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
619+ #endif
620+ }
621 static void
622 squid_ldap_memfree(char *p)
623 {
624***************
625*** 199,204 ****
626--- 139,154 ----
627 else
628 ld->ld_options &= ~LDAP_OPT_REFERRALS;
629 }
630+ static void
631+ squid_ldap_set_timelimit(LDAP *ld, int timelimit)
632+ {
633+ ld->ld_timelimit = timelimit;
634+ }
635+ static void
636+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
637+ {
638+ fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
639+ }
640 static void
641 squid_ldap_memfree(char *p)
642 {
643***************
644*** 206,211 ****
645--- 156,167 ----
646 }
647 #endif
648
649+ #ifdef LDAP_API_FEATURE_X_OPENLDAP
650+ #if LDAP_VENDOR_VERSION > 194
651+ #define HAS_URI_SUPPORT 1
652+ #endif
653+ #endif
654+
655 static char *
656 strwordtok(char *buf, char **t)
657 {
658***************
659*** 290,295 ****
660--- 246,257 ----
661 argv++;
662 argc--;
663 switch (option) {
664+ case 'H':
665+ #if !HAS_URI_SUPPORT
666+ fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
667+ exit(1);
668+ #endif
669+ /* Fall thru to -h */
670 case 'h':
671 if (ldapServer) {
672 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
673***************
674*** 301,307 ****
675 ldapServer = strdup(value);
676 }
677 break;
678-
679 case 'b':
680 basedn = value;
681 break;
682--- 263,268 ----
683***************
684*** 329,334 ****
685--- 290,311 ----
686 exit(1);
687 }
688 break;
689+ case 'S':
690+ #if defined(NETSCAPE_SSL)
691+ sslpath = value;
692+ if (port == LDAP_PORT)
693+ port = LDAPS_PORT;
694+ #else
695+ fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
696+ exit(1);
697+ #endif
698+ break;
699+ case 'c':
700+ connect_timeout = atoi(value);
701+ break;
702+ case 't':
703+ timelimit = atoi(value);
704+ break;
705 case 'a':
706 if (strcmp(value, "never") == 0)
707 aliasderef = LDAP_DEREF_NEVER;
708***************
709*** 349,354 ****
710--- 326,334 ----
711 case 'w':
712 bindpasswd = value;
713 break;
714+ case 'W':
715+ readSecret (value);
716+ break;
717 case 'P':
718 persistent = !persistent;
719 break;
720***************
721*** 388,394 ****
722 case 'g':
723 use_extension_dn = 1;
724 break;
725! case 'S':
726 strip_nt_domain = 1;
727 break;
728 default:
729--- 368,374 ----
730 case 'g':
731 use_extension_dn = 1;
732 break;
733! case 'E':
734 strip_nt_domain = 1;
735 break;
736 default:
737***************
738*** 424,440 ****
739 fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
740 fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
741 fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
742 fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
743 fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
744 fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
745 fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
746 fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
747! fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n");
748 fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
749 fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
750 fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
751 fprintf(stderr, "\n");
752! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
753 exit(1);
754 }
755 while (fgets(buf, 256, stdin) != NULL) {
756--- 404,431 ----
757 fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
758 fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
759 fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
760+ fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
761+ #if HAS_URI_SUPPORT
762+ fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
763+ #endif
764 fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
765 fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
766 fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
767+ #if defined(NETSCAPE_SSL)
768+ fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
769+ #endif
770+ fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
771+ fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
772 fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
773 fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
774! #ifdef LDAP_VERSION3
775! fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
776 fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
777+ #endif
778 fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
779 fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
780 fprintf(stderr, "\n");
781! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
782 exit(1);
783 }
784 while (fgets(buf, 256, stdin) != NULL) {
785***************
786*** 455,465 ****
787
788 recover:
789 if (ld == NULL) {
790 if ((ld = ldap_init(ldapServer, port)) == NULL) {
791! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
792! ldapServer, port);
793 break;
794 }
795 #ifdef LDAP_VERSION3
796 if (version == -1) {
797 version = LDAP_VERSION2;
798--- 446,484 ----
799
800 recover:
801 if (ld == NULL) {
802+ #if HAS_URI_SUPPORT
803+ if (strstr(ldapServer, "://") != NULL) {
804+ rc = ldap_initialize( &ld, ldapServer );
805+ if( rc != LDAP_SUCCESS ) {
806+ fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
807+ break;
808+ }
809+ } else
810+ #endif
811+ #if NETSCAPE_SSL
812+ if (sslpath) {
813+ if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
814+ fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
815+ sslpath);
816+ exit(1);
817+ } else {
818+ sslinit++;
819+ }
820+ if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
821+ fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
822+ ldapServer, port);
823+ exit(1);
824+ }
825+ } else
826+ #endif
827 if ((ld = ldap_init(ldapServer, port)) == NULL) {
828! fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port);
829 break;
830 }
831+
832+ if (connect_timeout)
833+ squid_ldap_set_connect_timeout(ld, connect_timeout);
834+
835 #ifdef LDAP_VERSION3
836 if (version == -1) {
837 version = LDAP_VERSION2;
838***************
839*** 479,484 ****
840--- 498,504 ----
841 break;
842 }
843 #endif
844+ squid_ldap_set_timelimit(ld, timelimit);
845 squid_ldap_set_referrals(ld, !noreferrals);
846 squid_ldap_set_aliasderef(ld, aliasderef);
847 if (binddn && bindpasswd && *binddn && *bindpasswd) {
848***************
849*** 622,628 ****
850 }
851
852 if (debug)
853! fprintf(stderr, "filter %s\n", filter);
854
855 rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
856 if (rc != LDAP_SUCCESS) {
857--- 642,648 ----
858 }
859
860 if (debug)
861! fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase);
862
863 rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
864 if (rc != LDAP_SUCCESS) {
865***************
866*** 632,637 ****
867--- 652,663 ----
868 */
869 } else {
870 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
871+ #if defined(NETSCAPE_SSL)
872+ if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
873+ int sslerr = PORT_GetError();
874+ fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
875+ }
876+ #endif
877 ldap_msgfree(res);
878 return 1;
879 }
880***************
881*** 664,670 ****
882 ldap_escape_value(escaped_login, sizeof(escaped_login), login);
883 snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
884 if (debug)
885! fprintf(stderr, "user filter %s\n", filter);
886 rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
887 if (rc != LDAP_SUCCESS) {
888 if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
889--- 690,696 ----
890 ldap_escape_value(escaped_login, sizeof(escaped_login), login);
891 snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
892 if (debug)
893! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase);
894 rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
895 if (rc != LDAP_SUCCESS) {
896 if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
897***************
898*** 673,685 ****
899 */
900 } else {
901 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
902 ldap_msgfree(res);
903 return 1;
904 }
905 }
906 entry = ldap_first_entry(ld, res);
907 if (!entry) {
908! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter);
909 ldap_msgfree(res);
910 return 1;
911 }
912--- 699,717 ----
913 */
914 } else {
915 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
916+ #if defined(NETSCAPE_SSL)
917+ if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
918+ int sslerr = PORT_GetError();
919+ fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
920+ }
921+ #endif
922 ldap_msgfree(res);
923 return 1;
924 }
925 }
926 entry = ldap_first_entry(ld, res);
927 if (!entry) {
928! fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase);
929 ldap_msgfree(res);
930 return 1;
931 }
932***************
933*** 698,701 ****
934--- 730,767 ----
935 } else {
936 return searchLDAPGroup(ld, group, login, extension_dn);
937 }
938+ }
939+
940+
941+ int readSecret(char *filename)
942+ {
943+ char buf[BUFSIZ];
944+ char *e=0;
945+ FILE *f;
946+
947+ if(!(f=fopen(filename, "r"))) {
948+ fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
949+ return 1;
950+ }
951+
952+ if( !fgets(buf, sizeof(buf)-1, f)) {
953+ fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
954+ fclose(f);
955+ return 1;
956+ }
957+
958+ /* strip whitespaces on end */
959+ if((e = strrchr(buf, '\n'))) *e = 0;
960+ if((e = strrchr(buf, '\r'))) *e = 0;
961+
962+ bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
963+ if (bindpasswd) {
964+ strcpy(bindpasswd, buf);
965+ } else {
966+ fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
967+ }
968+
969+ fclose(f);
970+
971+ return 0;
972 }
973Index: squid/helpers/external_acl/ldap_group/Makefile.in
974diff -c squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.6
975*** squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 Tue Feb 11 19:02:43 2003
976--- squid/helpers/external_acl/ldap_group/Makefile.in Wed Nov 19 17:43:41 2003
977***************
978*** 155,161 ****
979
980 NROFF = nroff
981 MANS = $(man_MANS)
982! DIST_COMMON = Makefile.am Makefile.in
983 SOURCES = $(squid_ldap_group_SOURCES)
984
985 all: all-am
986--- 155,161 ----
987
988 NROFF = nroff
989 MANS = $(man_MANS)
990! DIST_COMMON = README ChangeLog Makefile.am Makefile.in
991 SOURCES = $(squid_ldap_group_SOURCES)
992
993 all: all-am
SQUID Internet Object Cache
This page took 0.138424 seconds and 4 git commands to generate.