1 Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8
2 diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.1
3 *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7 Fri Oct 5 16:30:38 2001
4 --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Thu May 8 14:15:55 2003
7 ! .TH squid_ldap_auth 8 "25 September 2001" "Squid LDAP Auth"
10 squid_ldap_auth - Squid LDAP authentication helper
12 ! .TH squid_ldap_auth 8 "1 Mars 2003" "Squid LDAP Auth"
15 squid_ldap_auth - Squid LDAP authentication helper
19 Squid configuration file.
22 + .BI "-D " "binddn " "-W " "secretfile "
23 + The DN and the name of a file containing the password
24 + to bind as while performing searches.
26 + Less insecure version of the former parameter pair with two advantages:
27 + The password does not occur in the process listing,
28 + and the password is not being compromised if someone gets the squid
29 + configuration file without getting the secretfile.
33 Use a persistent LDAP connection. Normally the LDAP connection
34 is only open while validating a username to preserve resources
42 + Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries)
46 Specify the LDAP server to connect to
49 Specify an alternate TCP port where the ldap server is listening if
50 other than the default LDAP port 389.
58 + Enable LDAP over SSL (requires Netscape LDAP API libraries)
61 + .BI -c connect_timeout
62 + Specify timeout used when connecting to LDAP servers (requires
63 + Netscape LDAP API libraries)
65 + .BI -t search_timeout
66 + Specify time limit on LDAP search operations
69 For directories using the RFC2307 layout with a single domain, all
70 Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
71 diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.5
72 *** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.4 Mon May 5 18:37:31 2003
73 --- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu May 8 14:15:55 2003
77 * squid_ldap_auth: authentication via ldap for squid proxy server
79 ! * Maintainer: Henrik Nordstrom <hno@squid-cache.org>
81 ! * Author: Glen Newton
85 * National Research Council
87 * Usage: squid_ldap_auth -b basedn [-s searchscope]
88 * [-f searchfilter] [-D binddn -w bindpasswd]
89 * [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
91 * Dependencies: You need to get the OpenLDAP libraries
92 ! * from http://www.openldap.org
94 * License: squid_ldap_auth is free software; you can redistribute it
95 * and/or modify it under the terms of the GNU General Public License
98 * squid_ldap_auth: authentication via ldap for squid proxy server
102 ! * hno@squid-cache.org
108 * National Research Council
110 + * with contributions from others mentioned in the Changes section below
112 * Usage: squid_ldap_auth -b basedn [-s searchscope]
113 * [-f searchfilter] [-D binddn -w bindpasswd]
114 * [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
116 * Dependencies: You need to get the OpenLDAP libraries
117 ! * from http://www.openldap.org or another compatible LDAP C-API
120 ! * If you want to make a TLS enabled connection you will also need the
121 ! * OpenSSL libraries linked into openldap. See http://www.openssl.org/
123 * License: squid_ldap_auth is free software; you can redistribute it
124 * and/or modify it under the terms of the GNU General Public License
128 * or (at your option) any later version.
131 + * 2003-03-01: David J N Begley
132 + * - Support for Netscape API method of ldap over SSL
134 + * - Timeout option for better recovery when using
135 + * multiple LDAP servers
136 + * 2003-03-01: Christoph Lechleitner <lech@ibcl.at>
137 + * - Added -W option to read bindpasswd from file
138 + * 2003-03-01: Juerg Michel
139 + * - Added support for ldap URI via the -H option
140 + * (requires OpenLDAP)
141 + * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
142 + * - Added TLS support and partial ldap version 3 support.
143 * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
144 * - Be consistent with the other helpers in how
145 * spaces are managed. If there is space characters
151 ! /* Change this to your search base */
153 static char *searchfilter = NULL;
154 static char *binddn = NULL;
159 ! #define PROGRAM_NAME "squid_ldap_auth"
161 ! /* Global options */
163 static char *searchfilter = NULL;
164 static char *binddn = NULL;
168 static int persistent = 0;
169 static int noreferrals = 0;
170 static int aliasderef = LDAP_DEREF_NEVER;
171 + #if defined(NETSCAPE_SSL)
172 + static char *sslpath = NULL;
173 + static int sslinit = 0;
175 + static int connect_timeout = 0;
176 + static int timelimit = LDAP_NO_LIMIT;
178 + /* Added for TLS support and version 3 */
179 + static int use_tls = 0;
180 + static int version = -1;
182 static int checkLDAP(LDAP * ld, char *userid, char *password);
183 + static int readSecret(char *filename);
185 /* Yuck.. we need to glue to different versions of the API */
189 int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
190 ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
195 squid_ldap_errno(LDAP * ld)
197 int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
198 ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
201 ! squid_ldap_set_timelimit(LDAP *ld, int timelimit)
203 ! ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
206 ! squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
208 ! #if defined(LDAP_OPT_NETWORK_TIMEOUT)
210 ! tv.tv_sec = timelimit;
212 ! ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
213 ! #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
215 ! ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
219 ! squid_ldap_memfree(char *p)
225 squid_ldap_errno(LDAP * ld)
230 ld->ld_options &= ~LDAP_OPT_REFERRALS;
232 + static void squid_ldap_set_timelimit(LDAP *ld, int timelimit)
234 + ld->ld_timelimit = timelimit;
237 + squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
239 + fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
242 + squid_ldap_memfree(char *p)
248 + #ifdef LDAP_API_FEATURE_X_OPENLDAP
249 + #if LDAP_VENDOR_VERSION > 194
250 + #define HAS_URI_SUPPORT 1
265 if (strlen(argv[1]) > 2) {
273 + #if !HAS_URI_SUPPORT
274 + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
277 + /* Fall thru to -h */
280 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
283 else if (strcmp(value, "sub") == 0)
284 searchscope = LDAP_SCOPE_SUBTREE;
286 ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown search scope '%s'\n", value);
291 if (strcmp(value, "never") == 0)
292 aliasderef = LDAP_DEREF_NEVER;
294 else if (strcmp(value, "sub") == 0)
295 searchscope = LDAP_SCOPE_SUBTREE;
297 ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value);
302 + #if defined(NETSCAPE_SSL)
304 + if (port == LDAP_PORT)
307 + fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
312 + connect_timeout = atoi(value);
315 + timelimit = atoi(value);
318 if (strcmp(value, "never") == 0)
319 aliasderef = LDAP_DEREF_NEVER;
322 else if (strcmp(value, "find") == 0)
323 aliasderef = LDAP_DEREF_FINDING;
325 ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown alias dereference method '%s'\n", value);
330 else if (strcmp(value, "find") == 0)
331 aliasderef = LDAP_DEREF_FINDING;
333 ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value);
344 + readSecret (value);
347 persistent = !persistent;
352 noreferrals = !noreferrals;
355 ! fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
361 noreferrals = !noreferrals;
363 + #ifdef LDAP_VERSION3
365 + switch( atoi(value) ) {
367 + version = LDAP_VERSION2;
370 + version = LDAP_VERSION3;
373 + fprintf( stderr, "Protocol version should be 2 or 3\n");
378 + if ( version == LDAP_VERSION2 ) {
379 + fprintf( stderr, "TLS (-Z) is incompatible with version %d\n",
383 + version = LDAP_VERSION3;
388 ! fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
394 ldapServer = "localhost";
397 ! fprintf(stderr, "Usage: squid_ldap_auth -b basedn [options] [ldap_server_name[:port]]...\n\n");
398 fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
399 fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
400 fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
401 fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
402 fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
403 fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
404 fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
405 fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
406 fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
407 fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
408 fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
409 fprintf(stderr, "\n");
410 fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
411 ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
414 while (fgets(buf, 256, stdin) != NULL) {
416 ldapServer = "localhost";
419 ! fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n");
420 fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
421 fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
422 fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
423 fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
424 fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
425 fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
426 + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
427 + #if HAS_URI_SUPPORT
428 + fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
430 fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
431 fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
432 fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
433 + #if defined(NETSCAPE_SSL)
434 + fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
436 + fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
437 + fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
438 fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
439 fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
440 + #ifdef LDAP_VERSION3
441 + fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
442 + fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n");
444 fprintf(stderr, "\n");
445 fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
446 ! fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
449 while (fgets(buf, 256, stdin) != NULL) {
456 + #if HAS_URI_SUPPORT
457 + if (strstr(ldapServer, "://") != NULL) {
458 + int rc = ldap_initialize( &ld, ldapServer );
459 + if( rc != LDAP_SUCCESS ) {
460 + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
467 + if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
468 + fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
474 + if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
475 + fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
481 if ((ld = ldap_init(ldapServer, port)) == NULL) {
482 fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
487 + if (connect_timeout)
488 + squid_ldap_set_connect_timeout(ld, connect_timeout);
490 + #ifdef LDAP_VERSION3
491 + if (version == -1 ) {
492 + version = LDAP_VERSION2;
495 + if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
496 + != LDAP_OPT_SUCCESS )
498 + fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
503 + if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
504 + fprintf( stderr, "Could not Activate TLS connection\n");
508 + squid_ldap_set_timelimit(ld, timelimit);
509 squid_ldap_set_referrals(ld, !noreferrals);
510 squid_ldap_set_aliasderef(ld, aliasderef);
515 rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
516 if (rc != LDAP_SUCCESS) {
517 ! fprintf(stderr, "squid_ldap_auth: WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
523 rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
524 if (rc != LDAP_SUCCESS) {
525 ! fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
534 ! fprintf(stderr, "squid_ldap_auth: WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
542 ! fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
543 ! #if defined(NETSCAPE_SSL)
544 ! if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
545 ! int sslerr = PORT_GetError();
546 ! fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
555 userdn = ldap_get_dn(ld, entry);
557 ! fprintf(stderr, "squid_ldap_auth: ERROR, could not get user DN for '%s'\n", userid);
561 snprintf(dn, sizeof(dn), "%s", userdn);
565 snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
568 userdn = ldap_get_dn(ld, entry);
570 ! fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
574 snprintf(dn, sizeof(dn), "%s", userdn);
575 ! squid_ldap_memfree(userdn);
578 snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
587 + int readSecret(char *filename)
593 + if(!(f=fopen(filename, "r"))) {
594 + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
598 + if( !fgets(buf, sizeof(buf)-1, f)) {
599 + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
604 + /* strip whitespaces on end */
605 + if((e = strrchr(buf, '\n'))) *e = 0;
606 + if((e = strrchr(buf, '\r'))) *e = 0;
608 + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
610 + strcpy(bindpasswd, buf);
612 + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");