]>
Commit | Line | Data |
---|---|---|
230f348a AM |
1 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 |
2 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.5 | |
3 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 Wed Feb 18 09:15:52 2004 | |
4 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Tue Mar 2 02:13:29 2004 | |
5 | *************** | |
6 | *** 132,137 **** | |
7 | --- 132,143 ---- | |
8 | .BI -t search_timeout | |
9 | Specify time limit on LDAP search operations | |
10 | . | |
11 | + .TP | |
12 | + .BU -d | |
13 | + Debug mode where each step taken will get reported in detail. | |
14 | + Useful for understanding what goes wrong if the results is | |
15 | + not what is expected. | |
16 | + . | |
17 | .SH EXAMPLES | |
18 | For directories using the RFC2307 layout with a single domain, all | |
19 | you need to specify is usually the base DN under where your users | |
20 | Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c | |
21 | diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.10 | |
22 | *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 Mon Jan 5 06:12:11 2004 | |
23 | --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu Mar 4 02:37:38 2004 | |
24 | *************** | |
25 | *** 30,35 **** | |
26 | --- 30,39 ---- | |
27 | * or (at your option) any later version. | |
28 | * | |
29 | * Changes: | |
30 | + * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org> | |
31 | + * - corrected building of search filters to escape | |
32 | + * unsafe input | |
33 | + * - -d option for "debug" like squid_ldap_group | |
34 | * 2004-01-05: Henrik Nordstrom <hno@squid-cache.org> | |
35 | * - Corrected TLS mode | |
36 | * 2003-03-01: David J N Begley | |
37 | *************** | |
38 | *** 95,100 **** | |
39 | --- 99,105 ---- | |
40 | #endif | |
41 | static int connect_timeout = 0; | |
42 | static int timelimit = LDAP_NO_LIMIT; | |
43 | + static int debug = 0; | |
44 | ||
45 | /* Added for TLS support and version 3 */ | |
46 | static int use_tls = 0; | |
47 | *************** | |
48 | *** 208,213 **** | |
49 | --- 213,219 ---- | |
50 | case 'R': | |
51 | case 'z': | |
52 | case 'Z': | |
53 | + case 'd': | |
54 | break; | |
55 | default: | |
56 | if (strlen(argv[1]) > 2) { | |
57 | *************** | |
58 | *** 333,338 **** | |
59 | --- 339,347 ---- | |
60 | use_tls = 1; | |
61 | break; | |
62 | #endif | |
63 | + case 'd': | |
64 | + debug++; | |
65 | + break; | |
66 | default: | |
67 | fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option); | |
68 | exit(1); | |
69 | *************** | |
70 | *** 478,483 **** | |
71 | --- 487,520 ---- | |
72 | } | |
73 | ||
74 | static int | |
75 | + ldap_escape_value(char *escaped, int size, const char *src) | |
76 | + { | |
77 | + int n = 0; | |
78 | + while (size > 4 && *src) { | |
79 | + switch(*src) { | |
80 | + case '*': | |
81 | + case '(': | |
82 | + case ')': | |
83 | + case '\\': | |
84 | + n += 3; | |
85 | + size -= 3; | |
86 | + if (size > 0) { | |
87 | + *escaped++ = '\\'; | |
88 | + snprintf(escaped, 3, "%02x", (unsigned char)*src++); | |
89 | + escaped+=2; | |
90 | + } | |
91 | + break; | |
92 | + default: | |
93 | + *escaped++ = *src++; | |
94 | + n++; | |
95 | + size--; | |
96 | + } | |
97 | + } | |
98 | + *escaped = '\0'; | |
99 | + return n; | |
100 | + } | |
101 | + | |
102 | + static int | |
103 | checkLDAP(LDAP * ld, const char *userid, const char *password) | |
104 | { | |
105 | char dn[256]; | |
106 | *************** | |
107 | *** 490,495 **** | |
108 | --- 527,533 ---- | |
109 | } | |
110 | if (searchfilter) { | |
111 | char filter[256]; | |
112 | + char escaped_login[256]; | |
113 | LDAPMessage *res = NULL; | |
114 | LDAPMessage *entry; | |
115 | char *searchattr[] = | |
116 | *************** | |
117 | *** 497,502 **** | |
118 | --- 535,541 ---- | |
119 | char *userdn; | |
120 | int rc; | |
121 | ||
122 | + ldap_escape_value(escaped_login, sizeof(escaped_login), userid); | |
123 | if (binddn) { | |
124 | rc = ldap_simple_bind_s(ld, binddn, bindpasswd); | |
125 | if (rc != LDAP_SUCCESS) { | |
126 | *************** | |
127 | *** 504,510 **** | |
128 | return 1; | |
129 | } | |
130 | } | |
131 | ! snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid); | |
132 | rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); | |
133 | if (rc != LDAP_SUCCESS) { | |
134 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
135 | --- 543,551 ---- | |
136 | return 1; | |
137 | } | |
138 | } | |
139 | ! snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); | |
140 | ! if (debug) | |
141 | ! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); | |
142 | rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); | |
143 | if (rc != LDAP_SUCCESS) { | |
144 | if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { | |
145 | *************** | |
146 | *** 541,546 **** | |
147 | --- 582,589 ---- | |
148 | snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); | |
149 | } | |
150 | ||
151 | + if (debug) | |
152 | + fprintf(stderr, "attempting to bind to user '%s'\n", dn); | |
153 | if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) | |
154 | return 1; | |
155 | ||
156 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8 | |
157 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.4 | |
158 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 Wed Nov 19 17:41:37 2003 | |
159 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Tue Mar 2 02:13:29 2004 | |
160 | *************** | |
161 | *** 138,143 **** | |
162 | --- 138,149 ---- | |
163 | .BI -S | |
164 | Strip NT domain name component from user names (/ or \\ separated) | |
165 | . | |
166 | + .TP | |
167 | + .BU -d | |
168 | + Debug mode where each step taken will get reported in detail. | |
169 | + Useful for understanding what goes wrong if the results is | |
170 | + not what is expected. | |
171 | + | |
172 | .SH SQUID CONFIGURATION | |
173 | . | |
174 | This helper is intended to be used as a external_acl_type helper from | |
175 | Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c | |
176 | diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.17 | |
177 | *** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 Mon Feb 9 10:04:56 2004 | |
178 | --- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Tue Mar 2 02:13:29 2004 | |
179 | *************** | |
180 | *** 229,234 **** | |
181 | --- 229,235 ---- | |
182 | case 'R': | |
183 | case 'z': | |
184 | case 'Z': | |
185 | + case 'd': | |
186 | case 'g': | |
187 | case 'S': | |
188 | break; | |
189 | *************** | |
190 | *** 558,564 **** | |
191 | size -= 3; | |
192 | if (size > 0) { | |
193 | *escaped++ = '\\'; | |
194 | ! snprintf(escaped, 3, "%02x", (int)*src++); | |
195 | escaped+=2; | |
196 | } | |
197 | break; | |
198 | --- 559,565 ---- | |
199 | size -= 3; | |
200 | if (size > 0) { | |
201 | *escaped++ = '\\'; | |
202 | ! snprintf(escaped, 3, "%02x", (unsigned char)*src++); | |
203 | escaped+=2; | |
204 | } | |
205 | break; |