From 83a89fc3f61a90275f86981fc32b1daa8e85d1b0 Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Wed, 28 Nov 2012 17:53:44 +0100 Subject: ldapauth: Rework required attributes code to use only one exit path. This makes the upcoming patch to add optional virtual host support cleaner. --- src/modules/extra/m_ldapauth.cpp | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) (limited to 'src/modules') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 2102b7492..f908e7f76 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -263,37 +263,35 @@ public: return false; } - if (requiredattributes.empty()) + if (!requiredattributes.empty()) { - ldap_msgfree(msg); - ldapAuthed.set(user,1); - return true; - } + bool authed = false; - bool authed = false; + for (std::vector >::const_iterator it = requiredattributes.begin(); it != requiredattributes.end(); ++it) + { + const std::string &attr = it->first; + const std::string &val = it->second; - for (std::vector >::const_iterator it = requiredattributes.begin(); it != requiredattributes.end(); ++it) - { - const std::string &attr = it->first; - const std::string &val = it->second; + struct berval attr_value; + attr_value.bv_val = const_cast(val.c_str()); + attr_value.bv_len = val.length(); - struct berval attr_value; - attr_value.bv_val = const_cast(val.c_str()); - attr_value.bv_len = val.length(); + ServerInstance->Logs->Log("m_ldapauth", DEBUG, "LDAP compare: %s=%s", attr.c_str(), val.c_str()); - ServerInstance->Logs->Log("m_ldapauth", DEBUG, "LDAP compare: %s=%s", attr.c_str(), val.c_str()); + authed = (ldap_compare_ext_s(conn, ldap_get_dn(conn, entry), attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE); - authed = (ldap_compare_ext_s(conn, ldap_get_dn(conn, entry), attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE); + if (authed) + break; + } - if (authed) - break; + if (!authed) + { + ldap_msgfree(msg); + return false; + } } ldap_msgfree(msg); - - if (!authed) - return false; - ldapAuthed.set(user,1); return true; } -- cgit v1.2.3 From 2fb2f639ad8b584a6e778569bc871f50d2de2d7e Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Wed, 28 Nov 2012 17:57:50 +0100 Subject: ldapauth: Add missing verbose logging to required attributes. --- src/modules/extra/m_ldapauth.cpp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/modules') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index f908e7f76..70a73ffb5 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -286,6 +286,8 @@ public: if (!authed) { + if (verbose) + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (Lacks required LDAP attributes)", user->GetFullRealHost().c_str()); ldap_msgfree(msg); return false; } -- cgit v1.2.3 From e031d194181e09eb9d802f18a415422bb1e61d1c Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Wed, 28 Nov 2012 19:59:33 +0100 Subject: ldapauth: Allow setting virtual hosts on identification with m_ldapauth. , when set, will be applied to users identifying with ldapauth. The host can also take formatters from fields set on the DN of the user. --- docs/conf/modules.conf.example | 15 +++++++-- src/modules/extra/m_ldapauth.cpp | 70 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 79 insertions(+), 6 deletions(-) (limited to 'src/modules') diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example index 3f40bc7ce..5ddb21baa 100644 --- a/docs/conf/modules.conf.example +++ b/docs/conf/modules.conf.example @@ -972,8 +972,9 @@ # LDAP authentication module: Adds the ability to authenticate users # # via LDAP. This is an extra module which must be enabled explicitly # # by symlinking it from modules/extra, and requires the OpenLDAP libs # -# This modules is in extras. Re-run configure with: ./configure --enable-extras=m_ldapauth.cpp -# and run make install, then uncomment this module to enable it. # +# This modules is in extras. To enable it, Re-run configure with: # +# ./configure --enable-extras=m_ldapauth.cpp # +# and run make install, then uncomment this module. # # # # # # # @@ -987,7 +988,8 @@ # searchscope="subtree" # # binddn="cn=Manager,dc=brainbox,dc=cc" # # bindauth="mysecretpass" # -# verbose="yes"> # +# verbose="yes" # +# host="$uid.$ou.inspircd.org"> # # # # # # # @@ -1030,6 +1032,13 @@ # in which case the list will act as an OR list, that is, the # # authentication will succeed if any of the requirements in the list # # is satisfied. # +# # +# host allows you to change the displayed host of users connecting # +# from ldap. The string supplied takes formatters which are replaced # +# from the DN. For instance, if your DN looks like: # +# uid=w00t,ou=people,dc=inspircd,dc=org, then the formatters uid, ou # +# and dc will be available to you. If a key is given multiple times # +# in the DN, the last appearance will take precedence. # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # LDAP oper configuration module: Adds the ability to authenticate # diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 70a73ffb5..5d4d90d44 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -41,6 +41,7 @@ class ModuleLDAPAuth : public Module { LocalIntExt ldapAuthed; + LocalStringExt ldapVhost; std::string base; std::string attribute; std::string ldapserver; @@ -48,6 +49,7 @@ class ModuleLDAPAuth : public Module std::string killreason; std::string username; std::string password; + std::string vhost; std::vector whitelistedcidrs; std::vector > requiredattributes; int searchscope; @@ -56,15 +58,17 @@ class ModuleLDAPAuth : public Module LDAP *conn; public: - ModuleLDAPAuth() : ldapAuthed("ldapauth", this) + ModuleLDAPAuth() + : ldapAuthed("ldapauth", this) + , ldapVhost("ldapauth_vhost", this) { conn = NULL; } void init() { - Implementation eventlist[] = { I_OnCheckReady, I_OnRehash, I_OnUserRegister }; - ServerInstance->Modules->Attach(eventlist, this, 3); + Implementation eventlist[] = { I_OnCheckReady, I_OnRehash,I_OnUserRegister, I_OnUserConnect }; + ServerInstance->Modules->Attach(eventlist, this, 4); OnRehash(NULL); } @@ -88,6 +92,7 @@ public: std::string scope = tag->getString("searchscope"); username = tag->getString("binddn"); password = tag->getString("bindauth"); + vhost = tag->getString("host"); verbose = tag->getBool("verbose"); /* Set to true if failed connects should be reported to operators */ useusername = tag->getBool("userfield"); @@ -147,6 +152,42 @@ public: return true; } + std::string SafeReplace(const std::string &text, std::map &replacements) + { + std::string result; + result.reserve(MAXBUF); + + for (unsigned int i = 0; i < text.length(); ++i) { + char c = text[i]; + if (c == '$') { + // find the first nonalpha + i++; + unsigned int start = i; + + while (i < text.length() - 1 && isalpha(text[i + 1])) + ++i; + + std::string key = text.substr(start, (i - start) + 1); + result.append(replacements[key]); + } else { + result.push_back(c); + } + } + + return result; + } + + virtual void OnUserConnect(LocalUser *user) + { + std::string* cc = ldapVhost.get(user); + if (cc) + { + user->ChangeDisplayedHost(cc->c_str()); + ldapVhost.unset(user); + } + } + ModResult OnUserRegister(LocalUser* user) { if ((!allowpattern.empty()) && (InspIRCd::Match(user->nick,allowpattern))) @@ -293,6 +334,29 @@ public: } } + if (!vhost.empty()) + { + irc::commasepstream stream(ldap_get_dn(conn, entry)); + + // mashed map of key:value parts of the DN + std::map dnParts; + + std::string dnPart; + while (stream.GetToken(dnPart)) + { + std::string::size_type pos = dnPart.find('='); + if (pos == std::string::npos) // malformed + continue; + + std::string key = dnPart.substr(0, pos); + std::string value = dnPart.substr(pos + 1, dnPart.length() - pos + 1); // +1s to skip the = itself + dnParts[key] = value; + } + + // change host according to config key + ldapVhost.set(user, SafeReplace(vhost, dnParts)); + } + ldap_msgfree(msg); ldapAuthed.set(user,1); return true; -- cgit v1.2.3 From 1813369adecc1efc9812e90c40c21dc32e4965c9 Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Wed, 28 Nov 2012 23:27:40 +0100 Subject: ldapauth: fix memory leak ldap_get_dn() results need to be freed. Use a RAII wrapper to do this. Original code by Attila Molnar --- src/modules/extra/m_ldapauth.cpp | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) (limited to 'src/modules') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index 5d4d90d44..e2205ca8d 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -38,6 +38,31 @@ /* $ModDesc: Allow/Deny connections based upon answer from LDAP server */ /* $LinkerFlags: -lldap */ +struct LDAPString +{ + char *str; + + LDAPString(char *Str) + : str(Str) + { + } + + ~LDAPString() + { + ldap_memfree(str); + } + + operator char*() + { + return str; + } + + operator std::string() + { + return str; + } +}; + class ModuleLDAPAuth : public Module { LocalIntExt ldapAuthed; @@ -296,7 +321,8 @@ public: } cred.bv_val = (char*)user->password.data(); cred.bv_len = user->password.length(); - if ((res = ldap_sasl_bind_s(conn, ldap_get_dn(conn, entry), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS) + LDAPString DN(ldap_get_dn(conn, entry)); + if ((res = ldap_sasl_bind_s(conn, DN, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS) { if (verbose) ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (%s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); @@ -319,7 +345,7 @@ public: ServerInstance->Logs->Log("m_ldapauth", DEBUG, "LDAP compare: %s=%s", attr.c_str(), val.c_str()); - authed = (ldap_compare_ext_s(conn, ldap_get_dn(conn, entry), attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE); + authed = (ldap_compare_ext_s(conn, DN, attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE); if (authed) break; @@ -336,7 +362,7 @@ public: if (!vhost.empty()) { - irc::commasepstream stream(ldap_get_dn(conn, entry)); + irc::commasepstream stream(DN); // mashed map of key:value parts of the DN std::map dnParts; -- cgit v1.2.3 From 50ea2230637ddc31673cb19d41e6a6dde12487db Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Thu, 29 Nov 2012 00:14:40 +0100 Subject: ldapauth: RAII returned ldap message. This ensures it is always freed, and coincidentally fixes freeing in the case of LDAP errors. --- src/modules/extra/m_ldapauth.cpp | 51 ++++++++++++++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 10 deletions(-) (limited to 'src/modules') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index e2205ca8d..c5de59743 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -38,16 +38,16 @@ /* $ModDesc: Allow/Deny connections based upon answer from LDAP server */ /* $LinkerFlags: -lldap */ -struct LDAPString +struct RAIILDAPString { char *str; - LDAPString(char *Str) + RAIILDAPString(char *Str) : str(Str) { } - ~LDAPString() + ~RAIILDAPString() { ldap_memfree(str); } @@ -63,6 +63,35 @@ struct LDAPString } }; +struct RAIILDAPMessage +{ + RAIILDAPMessage() + { + } + + ~RAIILDAPMessage() + { + dealloc(); + } + + void dealloc() + { + ldap_msgfree(msg); + } + + operator LDAPMessage*() + { + return msg; + } + + LDAPMessage **operator &() + { + return &msg; + } + + LDAPMessage *msg; +}; + class ModuleLDAPAuth : public Module { LocalIntExt ldapAuthed; @@ -278,7 +307,7 @@ public: } } - LDAPMessage *msg, *entry; + RAIILDAPMessage msg; std::string what = (attribute + "=" + (useusername ? user->ident : user->nick)); if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS) { @@ -287,6 +316,11 @@ public: size_t pos = user->password.find(":"); if (pos != std::string::npos) { + // manpage says we must deallocate regardless of success or failure + // since we're about to do another query (and reset msg), first + // free the old one. + msg.dealloc(); + std::string cutpassword = user->password.substr(0, pos); res = ldap_search_ext_s(conn, base.c_str(), searchscope, cutpassword.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg); @@ -309,24 +343,23 @@ public: { if (verbose) ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search returned more than one result: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); - ldap_msgfree(msg); return false; } + + LDAPMessage *entry; if ((entry = ldap_first_entry(conn, msg)) == NULL) { if (verbose) ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); - ldap_msgfree(msg); return false; } cred.bv_val = (char*)user->password.data(); cred.bv_len = user->password.length(); - LDAPString DN(ldap_get_dn(conn, entry)); + RAIILDAPString DN(ldap_get_dn(conn, entry)); if ((res = ldap_sasl_bind_s(conn, DN, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS) { if (verbose) ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (%s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); - ldap_msgfree(msg); return false; } @@ -355,7 +388,6 @@ public: { if (verbose) ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (Lacks required LDAP attributes)", user->GetFullRealHost().c_str()); - ldap_msgfree(msg); return false; } } @@ -383,7 +415,6 @@ public: ldapVhost.set(user, SafeReplace(vhost, dnParts)); } - ldap_msgfree(msg); ldapAuthed.set(user,1); return true; } -- cgit v1.2.3 From aebe6cfd64aed575f376178375959d9576a7c8be Mon Sep 17 00:00:00 2001 From: Robin Burchell Date: Thu, 29 Nov 2012 10:06:22 +0100 Subject: ldapauth: register both extensions --- src/modules/extra/m_ldapauth.cpp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/modules') diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp index c5de59743..612fb79f6 100644 --- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -121,6 +121,8 @@ public: void init() { + ServerInstance->Modules->AddService(ldapAuthed); + ServerInstance->Modules->AddService(ldapVhost); Implementation eventlist[] = { I_OnCheckReady, I_OnRehash,I_OnUserRegister, I_OnUserConnect }; ServerInstance->Modules->Attach(eventlist, this, 4); OnRehash(NULL); -- cgit v1.2.3