Arthur de Jong

+ Copyright (C) 2006-2014 Arthur de Jong

+(takes the least number of lookups). The attribute values are user names with

+the format as the uid attribute for posixAccount entries and are returned

+without further processing.

+The second method is to use DN values in the member attribute (attribute names

+can be changed by using the attribute mapping options as described in the

+manual page). This is potentially a lot slower because in the worst case every

+DN has to be looked up in the LDAP server to find the proper value for the uid

+attribute.

+

+If the LDAP server supports the deref control (provided by the deref overlay

+in OpenLDAP) the DN to uid expansing is performed by the LDAP server.

+dc=com) a further lookup is skipped and the uid value from the DN is used.

+

+For other DN values an extra lookup is performed to expand it to a uid. These

+lookups are cached and are configurable with the cache dn2uid configuration

+option.

+ derefctrl.c \

+/*

+ derefctrl.c - replacement function

+

+ Copyright (C) 2013 Arthur de Jong

+

+ This library is free software; you can redistribute it and/or

+ modify it under the terms of the GNU Lesser General Public

+ License as published by the Free Software Foundation; either

+ version 2.1 of the License, or (at your option) any later version.

+

+ This library is distributed in the hope that it will be useful,

+ but WITHOUT ANY WARRANTY; without even the implied warranty of

+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

+ Lesser General Public License for more details.

+

+ You should have received a copy of the GNU Lesser General Public

+ License along with this library; if not, write to the Free Software

+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

+ 02110-1301 USA

+*/

+

+#include "config.h"

+

+#include <stdlib.h>

+#include <lber.h>

+#include <ldap.h>

+#include <string.h>

+

+#include "compat/ldap_compat.h"

+#include "compat/attrs.h"

+

+#ifdef REPLACE_LDAP_CREATE_DEREF_CONTROL

+int replacement_ldap_create_deref_control(LDAP *ld, LDAPDerefSpec *ds,

+ int iscritical, LDAPControl **ctrlp)

+{

+ int rc;

+ struct berval value;

+ if (ctrlp == NULL)

+ return LDAP_PARAM_ERROR;

+ rc = ldap_create_deref_control_value(ld, ds, &value);

+ if (rc != LDAP_SUCCESS)

+ return rc;

+ rc = ldap_control_create(LDAP_CONTROL_X_DEREF, iscritical, &value, 0, ctrlp);

+ if (rc != LDAP_SUCCESS)

+ {

+ ber_memfree(value.bv_val);

+ }

+ return rc;

+}

+#endif /* REPLACE_LDAP_CREATE_DEREF_CONTROL */

+ Copyright (C) 2009-2013 Arthur de Jong

+#ifdef REPLACE_LDAP_CREATE_DEREF_CONTROL

+/* provide a replacement implementation of ldap_create_deref_control() */

+int replacement_ldap_create_deref_control(LDAP *ld, LDAPDerefSpec *ds,

+ int iscritical, LDAPControl **ctrlp);

+#define ldap_create_deref_control(ld, dc, iscritical, ctrlp) \

+ replacement_ldap_create_deref_control(ld, dc, iscritical, ctrlp)

+#endif /* REPLACE_LDAP_CREATE_DEREF_CONTROL */

+

+#ifndef LDAP_CONTROL_X_DEREF

+#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16"

+#endif /* LDAP_CONTROL_X_DEREF */

+ AC_CHECK_FUNCS(ldap_control_create ldap_create_control ldap_control_find)

+ AC_CHECK_FUNCS(ldap_controls_free ldap_control_free ldap_get_entry_controls)

+ AC_CHECK_FUNCS(ldap_create_deref_control ldap_create_deref_control_value)

+ AC_CHECK_FUNCS(ldap_parse_deref_control ldap_derefresponse_free)

+ # check for broken implementations of ldap_create_deref_control()

+ if test "x$ac_cv_func_ldap_create_deref_control" = "xyes"

+ then

+ # this bug cannot be determined on compile time so we run a

+ # small test program

+ AC_CACHE_CHECK(

+ [ldap_create_deref_control() implementation],

+ nslcd_cv_ldap_create_deref_control_working,

+ [AC_RUN_IFELSE(

+ [AC_LANG_PROGRAM([[

+ #include <stdio.h>

+ #include <lber.h>

+ #include <ldap.h>

+ ]], [[

+ int rc;

+ LDAP *ld;

+ LDAPControl *ctrls[2] = {NULL, NULL};

+ struct LDAPDerefSpec ds[2];

+ char *attrs[2] = {"uid", NULL};

+ ld = ldap_init("localhost", LDAP_PORT);

+ if (ld == NULL)

+ {

+ fprintf(stderr, "ldap_init() failed\n");

+ return 2;

+ }

+ ds[0].derefAttr = "member";

+ ds[0].attributes = attrs;

+ ds[1].derefAttr = NULL;

+ rc = ldap_create_deref_control(ld, ds, 0, &ctrls[0]);

+ if (rc != LDAP_SUCCESS)

+ {

+ fprintf(stderr, "ldap_create_deref_control() failed: %s\n",

+ ldap_err2string(rc));

+ return 2;

+ }

+ if (ldap_control_find(LDAP_CONTROL_X_DEREF, ctrls, NULL) != NULL)

+ return 0;

+ if (ldap_control_find(LDAP_CONTROL_PAGEDRESULTS, ctrls, NULL) != NULL)

+ {

+ fprintf(stderr, "ldap_create_deref_control() created LDAP_CONTROL_PAGEDRESULTS control\n");

+ return 3;

+ }

+ fprintf(stderr, "ldap_create_deref_control() created unknown control\n");

+ return 2;

+ ]])],

+ [nslcd_cv_ldap_create_deref_control_working=ok],

+ [if test "$?" -eq 3; then nslcd_cv_ldap_create_deref_control_working=broken

+ else nslcd_cv_ldap_create_deref_control_working=unknown; fi],

+ [nslcd_cv_ldap_create_deref_control_working=cross])])

+ if test "x$nslcd_cv_ldap_create_deref_control_working" != "xok"

+ then

+ AC_MSG_NOTICE([using replacement ldap_create_deref_control()])

+ AC_LIBOBJ(derefctrl)

+ AC_DEFINE(REPLACE_LDAP_CREATE_DEREF_CONTROL, 1,

+ [Define to 1 if ldap_create_deref_control() is broken.])

+ fi

+ fi

+

+/* the attribute list for bymember searches (without member attributes) */

+static const char **group_bymember_attrs = NULL;

+

+ /* set up bymember attribute list */

+ set = set_new();

+ attmap_add_attributes(set, attmap_group_cn);

+ attmap_add_attributes(set, attmap_group_userPassword);

+ attmap_add_attributes(set, attmap_group_gidNumber);

+ group_bymember_attrs = set_tolist(set);

+ if (group_bymember_attrs == NULL)

+ {

+ log_log(LOG_CRIT, "malloc() failed to allocate memory");

+ exit(EXIT_FAILURE);

+ }

+ set_free(set);

+ const char ***derefs;

+ /* add deref'd entries if we have them*/

+ derefs = myldap_get_deref_values(entry, attmap_group_member, attmap_passwd_uid);

+ if (derefs != NULL)

+ {

+ /* add deref'd uid attributes */

+ for (i = 0; derefs[0][i] != NULL; i++)

+ set_add(members, derefs[0][i]);

+ /* add non-deref'd attribute values as subgroups */

+ for (i = 0; derefs[1][i] != NULL; i++)

+ {

+ if ((seen == NULL) || (!set_contains(seen, derefs[1][i])))

+ {

+ if (seen != NULL)

+ set_add(seen, derefs[1][i]);

+ if (subgroups != NULL)

+ set_add(subgroups, derefs[1][i]);

+ }

+ }

+ return; /* no need to parse the member attribute ourselves */

+ }

+ group_bymember_attrs, NULL);

+ search = myldap_search(session, base, group_scope, filter, group_bymember_attrs, NULL);

+ Copyright (C) 2006-2007 West Consulting

+ Copyright (C) 2006-2014 Arthur de Jong

+#include "attmap.h"

+/* The maximum number of buffers (used for ranged attribute values and

+ values returned by bervalues_to_values()) that may be stored per entry. */

+#define MAX_BUFFERS_PER_ENTRY 8

+ /* a reference to buffers so we can free() them later on */

+ char **buffers[MAX_BUFFERS_PER_ENTRY];

+ for (i = 0; i < MAX_BUFFERS_PER_ENTRY; i++)

+ entry->buffers[i] = NULL;

+ /* free all buffers */

+ for (i = 0; i < MAX_BUFFERS_PER_ENTRY; i++)

+ if (entry->buffers[i] != NULL)

+ free(entry->buffers[i]);

+ int ctrlidx = 0;

+ LDAPControl *serverctrls[3];

+#ifdef HAVE_LDAP_CREATE_DEREF_CONTROL

+ int i;

+ struct LDAPDerefSpec ds[2];

+ char *deref_attrs[2];

+#endif /* HAVE_LDAP_CREATE_DEREF_CONTROL */

+ search->cookie, 0, &serverctrls[ctrlidx]);

+ ctrlidx++;

+ serverctrls[ctrlidx] = NULL;

+ /* if we were paging, failure building the second control is fatal */

+ if (search->cookie != NULL)

+ return rc;

+#ifdef HAVE_LDAP_CREATE_DEREF_CONTROL

+ /* if doing group searches, add deref control to search request

+ (this is currently a bit of a hack and hard-coded for group searches

+ which are detected by requesting the attmap_group_member member

+ attribute) */

+ for (i = 0; search->attrs[i] != NULL; i++)

+ if (strcasecmp(search->attrs[i], attmap_group_member) == 0)

+ {

+ /* attributes from dereff'd entries */

+ deref_attrs[0] = (void *)attmap_passwd_uid;

+ deref_attrs[1] = NULL;

+ /* build deref control */

+ ds[0].derefAttr = (void *)attmap_group_member;

+ ds[0].attributes = deref_attrs;

+ ds[1].derefAttr = NULL;

+ ds[1].attributes = NULL;

+ rc = ldap_create_deref_control(search->session->ld, ds, 0, &serverctrls[ctrlidx]);

+ if (rc == LDAP_SUCCESS)

+ ctrlidx++;

+ else

+ {

+ myldap_err(LOG_WARNING, search->session->ld, rc,

+ "ldap_create_deref_control() failed");

+ serverctrls[ctrlidx] = NULL;

+ }

+ }

+#endif /* HAVE_LDAP_CREATE_DEREF_CONTROL */

+ /* NULL terminate control list */

+ serverctrls[ctrlidx] = NULL;

+ /* clear error flag (perhaps control setting failed) */

+ if (ctrlidx > 0)

+ {

+ rc = LDAP_SUCCESS;

+ if (ldap_set_option(search->session->ld, LDAP_OPT_ERROR_NUMBER, &rc) != LDAP_SUCCESS)

+ log_log(LOG_WARNING, "failed to clear the error flag");

+ }

+ 0, serverctrls[0] == NULL ? NULL : serverctrls,

+ NULL, NULL, LDAP_NO_LIMIT, &msgid);

+ for (ctrlidx = 0; serverctrls[ctrlidx] != NULL; ctrlidx++)

+ ldap_control_free(serverctrls[ctrlidx]);

+ if (rc != LDAP_CONTROL_NOT_FOUND)

+ myldap_err(LOG_WARNING, search->session->ld, rc, "ldap_parse_page_control() failed");

+ rc = do_try_search(search);

+ for (i = 0; i < MAX_BUFFERS_PER_ENTRY; i++)

+ if (entry->buffers[i] == NULL)

+ entry->buffers[i] = values;

+ return (const char **)entry->buffers[i];

+ log_log(LOG_ERR, "ldap_get_values() couldn't store results, increase MAX_BUFFERS_PER_ENTRY");

+ for (i = 0; i < MAX_BUFFERS_PER_ENTRY; i++)

+ if (entry->buffers[i] == NULL)

+ entry->buffers[i] = (char **)values;

+ log_log(LOG_ERR, "myldap_get_values_len() couldn't store results, increase MAX_BUFFERS_PER_ENTRY");

+#ifdef HAVE_LDAP_PARSE_DEREF_CONTROL

+const char ***myldap_get_deref_values(MYLDAP_ENTRY *entry,

+ const char *derefattr, const char *getattr)

+{

+ LDAPControl **entryctrls;

+ LDAPDerefRes *deref, *d;

+ LDAPDerefVal *a;

+ int i, pass;

+ int rc;

+ int found;

+ int counts[2];

+ size_t sizes[2], size;

+ char *buffer = NULL;

+ char ***results = NULL;

+ rc = ldap_get_entry_controls(entry->search->session->ld, entry->search->msg,

+ &entryctrls);

+ if (rc != LDAP_SUCCESS)

+ {

+ myldap_err(LOG_WARNING, entry->search->session->ld, rc,

+ "ldap_get_entry_controls() failed");

+ return NULL;

+ }

+ if (entryctrls == NULL)

+ return NULL;

+ /* see if we can find a deref control */

+ rc = ldap_parse_deref_control(entry->search->session->ld, entryctrls,

+ &deref);

+ if ((rc != LDAP_SUCCESS) || (deref == NULL))

+ {

+ if ((rc != LDAP_SUCCESS) && (rc != LDAP_CONTROL_NOT_FOUND))

+ myldap_err(LOG_WARNING, entry->search->session->ld, rc,

+ "ldap_parse_deref_control() failed");

+ /* clear error flag */

+ rc = LDAP_SUCCESS;

+ if (ldap_set_option(entry->search->session->ld, LDAP_OPT_ERROR_NUMBER,

+ &rc) != LDAP_SUCCESS)

+ log_log(LOG_WARNING, "failed to clear the error flag");

+ ldap_controls_free(entryctrls);

+ return NULL;

+ }

+ /* two passes: one to calculate size, one to store data */

+ for (pass=0; pass < 2; pass++)

+ {

+ /* reset counters and size */

+ for (i = 0; i < 2; i++)

+ {

+ counts[i] = 0;

+ sizes[i] = 0;

+ }

+ /* go over all deref'd attributes and find the one we're looking for */

+ for (d = deref; d != NULL; d = d->next)

+ if ((d->derefAttr != NULL) && (d->derefVal.bv_val != NULL) &&

+ (strcasecmp(derefattr, d->derefAttr) == 0))

+ {

+ /* we should have one d per original attribute value */

+ found = 0;

+ /* go over deref'd attribute values to find the ones we're looking for */

+ for (a = d->attrVals; a != NULL; a = a->next)

+ if ((a->type != NULL) && (a->vals != NULL) &&

+ (strcasecmp(getattr, a->type) == 0))

+ for (i=0; a->vals[i].bv_val != NULL; i++)

+ {

+ found = 1;

+ if (results == NULL)

+ {

+ log_log(LOG_DEBUG, "deref %s %s=%s -> %s=%s",

+ myldap_get_dn(entry), d->derefAttr, d->derefVal.bv_val,

+ a->type, a->vals[i].bv_val);

+ counts[0]++;

+ sizes[0] += strlen(a->vals[i].bv_val) + 1;

+ }

+ else

+ {

+ strcpy(buffer, a->vals[i].bv_val);

+ results[0][counts[0]++] = buffer;

+ buffer += strlen(buffer) + 1;

+ }

+ }

+ if (!found)

+ {

+ if (results == NULL)

+ {

+ log_log(LOG_DEBUG, "no %s deref %s %s=%s", getattr,

+ myldap_get_dn(entry), d->derefAttr, d->derefVal.bv_val);

+ counts[1]++;

+ sizes[1] += strlen(d->derefVal.bv_val) + 1;

+ }

+ else

+ {

+ strcpy(buffer, d->derefVal.bv_val);

+ results[1][counts[1]++] = buffer;

+ buffer += strlen(buffer) + 1;

+ }

+ }

+ }

+ /* allocate memory after first pass */

+ if (results == NULL)

+ {

+ size = sizeof(char **) * 3;

+ for (i = 0; i < 2; i++)

+ size += sizeof(char *) * (counts[i] + 1);

+ for (i = 0; i < 2; i++)

+ size += sizeof(char) * sizes[i];

+ buffer = (char *)malloc(size);

+ if (buffer == NULL)

+ {

+ log_log(LOG_CRIT, "myldap_get_deref_values(): malloc() failed to allocate memory");

+ return NULL;

+ }

+ /* allocate the list of lists */

+ results = (void *)buffer;

+ buffer += sizeof(char **) * 3;

+ /* allocate the lists */

+ for (i = 0; i < 2; i++)

+ {

+ results[i] = (char **)buffer;

+ buffer += sizeof(char *) * (counts[i] + 1);

+ }

+ results[i] = NULL;

+ }

+ }

+ /* NULL terminate the lists */

+ results[0][counts[0]] = NULL;

+ results[1][counts[1]] = NULL;

+ /* free control data */

+ ldap_derefresponse_free(deref);

+ ldap_controls_free(entryctrls);

+ /* store results so we can free it later on */

+ for (i = 0; i < MAX_BUFFERS_PER_ENTRY; i++)

+ if (entry->buffers[i] == NULL)

+ {

+ entry->buffers[i] = (void *)results;

+ return (const char ***)results;

+ }

+ /* we found no room to store the values */

+ log_log(LOG_ERR, "myldap_get_deref_values() couldn't store results, "

+ "increase MAX_BUFFERS_PER_ENTRY");

+ free(results);

+ return NULL;

+}

+#else /* not HAVE_LDAP_PARSE_DEREF_CONTROL */

+const char ***myldap_get_deref_values(MYLDAP_ENTRY UNUSED(*entry),

+ const char UNUSED(*derefattr), const char UNUSED(*getattr))

+{

+ return NULL;

+}

+#endif /* not HAVE_LDAP_PARSE_DEREF_CONTROL */

+

+ Copyright (C) 2007-2014 Arthur de Jong

+/* See if the entry has any deref controls attached to it and deref attr

+ derefattr to get the getattr values. Will return two lists of attribute

+ values. One list of deref'ed attribute values and one list of original

+ attribute values that could not be deref'ed. */

+MUST_USE const char ***myldap_get_deref_values(MYLDAP_ENTRY *entry,

+ const char *derefattr, const char *getattr);

+