diff options
author | Robin Burchell <viroteck@viroteck.net> | 2012-04-14 05:12:34 -0700 |
---|---|---|
committer | Robin Burchell <viroteck@viroteck.net> | 2012-04-14 05:12:34 -0700 |
commit | 2f8303334f2c5a62bcce47d39e8cf41208a9a296 (patch) | |
tree | 299a02210e380f998b923ac995b07f4a3fbafc4f | |
parent | 9fbbdba61825a2316aa71492138059fd4d157217 (diff) | |
parent | 16cbb628161960eb87d5b2e8bdd62842b8eb0723 (diff) |
Merge pull request #35 from pcarrier/insp20ldap
extras/m_ldapauth: CIDR-based whitelisting
-rw-r--r-- | docs/modules.conf.example | 10 | ||||
-rw-r--r-- | src/modules/extra/m_ldapauth.cpp | 21 |
2 files changed, 31 insertions, 0 deletions
diff --git a/docs/modules.conf.example b/docs/modules.conf.example index 671c60ce9..b688882d0 100644 --- a/docs/modules.conf.example +++ b/docs/modules.conf.example @@ -960,6 +960,8 @@ # bindauth="mysecretpass" # # verbose="yes"> # # # +# <ldapwhitelist cidr="10.42.0.0/16"> # +# # # The baserdn indicates the base DN to search in for users. Usually # # this is 'ou=People,dc=yourdomain,dc=yourtld'. # # # @@ -987,6 +989,14 @@ # allow anonymous searching in which case these two values do not # # need defining, otherwise they should be set similar to the examples # # above. # +# # +# ldapwhitelist indicates that clients connecting from an IP in the # +# provided CIDR do not need to authenticate against LDAP. It can be # +# repeated to whitelist multiple CIDRs. # + +# ldapwhitelist indicates that clients connecting from the associated # +# CIDR do to authenticate against LDAP. It can be used multiple # +# times. # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # LDAP oper configuration module: Adds the ability to authenticate # diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 4fae7a2e7..a3d80b8f3 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -46,6 +46,7 @@ class ModuleLDAPAuth : public Module std::string killreason; std::string username; std::string password; + std::vector<std::string> whitelistedcidrs; int searchscope; bool verbose; bool useusername; @@ -73,6 +74,7 @@ public: void OnRehash(User* user) { ConfigReader Conf; + whitelistedcidrs.clear(); base = Conf.ReadValue("ldapauth", "baserdn", 0); attribute = Conf.ReadValue("ldapauth", "attribute", 0); @@ -85,6 +87,16 @@ public: verbose = Conf.ReadFlag("ldapauth", "verbose", 0); /* Set to true if failed connects should be reported to operators */ useusername = Conf.ReadFlag("ldapauth", "userfield", 0); + ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist"); + + for (ConfigIter i = whitelisttags.first; i != whitelisttags.second; ++i) + { + std::string cidr = i->second->getString("cidr"); + if (!cidr.empty()) { + whitelistedcidrs.push_back(cidr); + } + } + if (scope == "base") searchscope = LDAP_SCOPE_BASE; else if (scope == "onelevel") @@ -128,6 +140,15 @@ public: return MOD_RES_PASSTHRU; } + for (std::vector<std::string>::iterator i = whitelistedcidrs.begin(); i != whitelistedcidrs.end(); i++) + { + if (InspIRCd::MatchCIDR(user->GetIPString(), *i, ascii_case_insensitive_map)) + { + ldapAuthed.set(user,1); + return MOD_RES_PASSTHRU; + } + } + if (!CheckCredentials(user)) { ServerInstance->Users->QuitUser(user, killreason); |