projects / packages / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| 230f348a AM |
1 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 |
| 2 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.5 | |
| 3 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 Wed Feb 18 09:15:52 2004 | |
| 4 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Tue Mar 2 02:13:29 2004 | |
| 5 | *************** | |
| 6 | *** 132,137 **** | |
| 7 | --- 132,143 ---- | |
| 8 | .BI -t search_timeout | |
| 9 | Specify time limit on LDAP search operations | |
| 10 | . | |
| 11 | + .TP | |
| 12 | + .BU -d | |
| 13 | + Debug mode where each step taken will get reported in detail. | |
| 14 | + Useful for understanding what goes wrong if the results is | |
| 15 | + not what is expected. | |
| 16 | + . | |
| 17 | .SH EXAMPLES | |
| 18 | For directories using the RFC2307 layout with a single domain, all | |
| 19 | you need to specify is usually the base DN under where your users | |
| 20 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c | |
| 21 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.10 | |
| 22 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 Mon Jan 5 06:12:11 2004 | |
| 23 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu Mar 4 02:37:38 2004 | |
| 24 | *************** | |
| 25 | *** 30,35 **** | |
| 26 | --- 30,39 ---- | |
| 27 | * or (at your option) any later version. | |
| 28 | * | |
| 29 | * Changes: | |
| 30 | + * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org> | |
| 31 | + * - corrected building of search filters to escape | |
| 32 | + * unsafe input | |
| 33 | + * - -d option for "debug" like squid_ldap_group | |
| 34 | * 2004-01-05: Henrik Nordstrom <hno@squid-cache.org> | |
| 35 | * - Corrected TLS mode | |
| 36 | * 2003-03-01: David J N Begley | |
| 37 | *************** | |
| 38 | *** 95,100 **** | |
| 39 | --- 99,105 ---- | |
| 40 | #endif | |
| 41 | static int connect_timeout = 0; | |
| 42 | static int timelimit = LDAP_NO_LIMIT; | |
| 43 | + static int debug = 0; | |
| 44 | ||
| 45 | /* Added for TLS support and version 3 */ | |
| 46 | static int use_tls = 0; | |
| 47 | *************** | |
| 48 | *** 208,213 **** | |
| 49 | --- 213,219 ---- | |
| 50 | case 'R': | |
| 51 | case 'z': | |
| 52 | case 'Z': | |
| 53 | + case 'd': | |
| 54 | break; | |
| 55 | default: | |
| 56 | if (strlen(argv[1]) > 2) { | |
| 57 | *************** | |
| 58 | *** 333,338 **** | |
| 59 | --- 339,347 ---- | |
| 60 | use_tls = 1; | |
| 61 | break; | |
| 62 | #endif | |
| 63 | + case 'd': | |
| 64 | + debug++; | |
| 65 | + break; | |
| 66 | default: | |
| 67 | fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option); | |
| 68 | exit(1); | |
| 69 | *************** | |
| 70 | *** 478,483 **** | |
| 71 | --- 487,520 ---- | |
| 72 | } | |
| 73 | ||
| 74 | static int | |
| 75 | + ldap_escape_value(char *escaped, int size, const char *src) | |
| 76 | + { | |
| 77 | + int n = 0; | |
| 78 | + while (size > 4 && *src) { | |
| 79 | + switch(*src) { | |
| 80 | + case '*': | |
| 81 | + case '(': | |
| 82 | + case ')': | |
| 83 | + case '\\': | |
| 84 | + n += 3; | |
| 85 | + size -= 3; | |
| 86 | + if (size > 0) { | |
| 87 | + *escaped++ = '\\'; | |
| 88 | + snprintf(escaped, 3, "%02x", (unsigned char)*src++); | |
| 89 | + escaped+=2; | |
| 90 | + } | |
| 91 | + break; | |
| 92 | + default: | |
| 93 | + *escaped++ = *src++; | |
| 94 | + n++; | |
| 95 | + size--; | |
| 96 | + } | |
| 97 | + } | |
| 98 | + *escaped = '\0'; | |
| 99 | + return n; | |
| 100 | + } | |
| 101 | + | |
| 102 | + static int | |
| 103 | checkLDAP(LDAP * ld, const char *userid, const char *password) | |
| 104 | { | |
| 105 | char dn[256]; | |
| 106 | *************** | |
| 107 | *** 490,495 **** | |
| 108 | --- 527,533 ---- | |
| 109 | } | |
| 110 | if (searchfilter) { | |
| 111 | char filter[256]; | |
| 112 | + char escaped_login[256]; | |
| 113 | LDAPMessage *res = NULL; | |
| 114 | LDAPMessage *entry; | |
| 115 | char *searchattr[] = | |
| 116 | *************** | |
| 117 | *** 497,502 **** | |
| 118 | --- 535,541 ---- | |
| 119 | char *userdn; | |
| 120 | int rc; | |
| 121 | ||
| 122 | + ldap_escape_value(escaped_login, sizeof(escaped_login), userid); | |
| 123 | if (binddn) { | |
| 124 | rc = ldap_simple_bind_s(ld, binddn, bindpasswd); | |
| 125 | if (rc != LDAP_SUCCESS) { | |
| 126 | *************** | |
| 127 | *** 504,510 **** | |
| 128 | return 1; | |
| 129 | } | |
| 130 | } | |
| 131 | ! snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid); | |
| 132 | rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); | |
| 133 | if (rc != LDAP_SUCCESS) { | |
| 134 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
| 135 | --- 543,551 ---- | |
| 136 | return 1; | |
| 137 | } | |
| 138 | } | |
| 139 | ! snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); | |
| 140 | ! if (debug) | |
| 141 | ! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); | |
| 142 | rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); | |
| 143 | if (rc != LDAP_SUCCESS) { | |
| 144 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
| 145 | *************** | |
| 146 | *** 541,546 **** | |
| 147 | --- 582,589 ---- | |
| 148 | snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); | |
| 149 | } | |
| 150 | ||
| 151 | + if (debug) | |
| 152 | + fprintf(stderr, "attempting to bind to user '%s'\n", dn); | |
| 153 | if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) | |
| 154 | return 1; | |
| 155 | ||
| 156 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8 | |
| 157 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.4 | |
| 158 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 Wed Nov 19 17:41:37 2003 | |
| 159 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Tue Mar 2 02:13:29 2004 | |
| 160 | *************** | |
| 161 | *** 138,143 **** | |
| 162 | --- 138,149 ---- | |
| 163 | .BI -S | |
| 164 | Strip NT domain name component from user names (/ or \\ separated) | |
| 165 | . | |
| 166 | + .TP | |
| 167 | + .BU -d | |
| 168 | + Debug mode where each step taken will get reported in detail. | |
| 169 | + Useful for understanding what goes wrong if the results is | |
| 170 | + not what is expected. | |
| 171 | + | |
| 172 | .SH SQUID CONFIGURATION | |
| 173 | . | |
| 174 | This helper is intended to be used as a external_acl_type helper from | |
| 175 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c | |
| 176 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.17 | |
| 177 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 Mon Feb 9 10:04:56 2004 | |
| 178 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Tue Mar 2 02:13:29 2004 | |
| 179 | *************** | |
| 180 | *** 229,234 **** | |
| 181 | --- 229,235 ---- | |
| 182 | case 'R': | |
| 183 | case 'z': | |
| 184 | case 'Z': | |
| 185 | + case 'd': | |
| 186 | case 'g': | |
| 187 | case 'S': | |
| 188 | break; | |
| 189 | *************** | |
| 190 | *** 558,564 **** | |
| 191 | size -= 3; | |
| 192 | if (size > 0) { | |
| 193 | *escaped++ = '\\'; | |
| 194 | ! snprintf(escaped, 3, "%02x", (int)*src++); | |
| 195 | escaped+=2; | |
| 196 | } | |
| 197 | break; | |
| 198 | --- 559,565 ---- | |
| 199 | size -= 3; | |
| 200 | if (size > 0) { | |
| 201 | *escaped++ = '\\'; | |
| 202 | ! snprintf(escaped, 3, "%02x", (unsigned char)*src++); | |
| 203 | escaped+=2; | |
| 204 | } | |
| 205 | break; |