vlary
Platinum Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору /* * squid_ad_auth: authentication via ldap for squid proxy server */ #define LDAP_DEPRECATED 1 #define LDAP_UNICODE 0 #define MAX_USERS 128 #include <sys/time.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <ctype.h> /* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at * run time. */ #include <lber.h> #include <ldap.h> #define PROGRAM_NAME "squid_ad_auth" #define xisspace(x) isspace((unsigned char)x) /* Global options */ struct accnt { char name[16]; char pwtext[16]; }; struct accnt users[MAX_USERS]; static const char *basedn; static const char *searchfilter = NULL; static const char *binddn = NULL; static const char *bindpasswd = NULL; static const char *userattr = "cn"; static const char *passwdattr = NULL; static int searchscope = LDAP_SCOPE_SUBTREE; static int cached = 0; static int bind_once = 0; static int noreferrals = 0; static int aliasderef = LDAP_DEREF_NEVER; static int connect_timeout = 0; static int timelimit = LDAP_NO_LIMIT; static int debug = 0; /* Added for TLS support and version 3 */ static int use_tls = 0; static int version = -1; static int checkcache(char *user, char *password) { int n; for(n=0;n<cached;n++) { if(strcmp(user,users[n].name)==0 && strcmp(password,users[n].pwtext)==0) return n; } return -1; } /* Yuck.. we need to glue to different versions of the API */ #ifndef LDAP_NO_ATTRS #define LDAP_NO_ATTRS "1.1" #endif /* * RFC 1738 defines that these characters should be escaped, as well * any non-US-ASCII character or anything between 0x00 - 0x1F. */ static char rfc1738_unsafe_chars[] = { (char) 0x3C, /* < */ (char) 0x3E, /* > */ (char) 0x22, /* " */ (char) 0x23, /* # */ #if 0 /* done in code */ (char) 0x25, /* % */ #endif (char) 0x7B, /* { */ (char) 0x7D, /* } */ (char) 0x7C, /* | */ (char) 0x5C, /* \ */ (char) 0x5E, /* ^ */ (char) 0x7E, /* ~ */ (char) 0x5B, /* [ */ (char) 0x5D, /* ] */ (char) 0x60, /* ` */ (char) 0x27, /* ' */ (char) 0x20 /* space */ }; static char rfc1738_reserved_chars[] = { (char) 0x3b, /* ; */ (char) 0x2f, /* / */ (char) 0x3f, /* ? */ (char) 0x3a, /* : */ (char) 0x40, /* @ */ (char) 0x3d, /* = */ (char) 0x26 /* & */ }; void xfree(void *s) { if(s!=NULL) free(s); } /* * xcalloc() - same as calloc(3). Used for portability. * Never returns NULL; fatal on error. */ void * xcalloc(size_t n, size_t sz) { void *p; if (n < 1) n = 1; if (sz < 1) sz = 1; if ((p = calloc(n, sz)) == NULL) { perror("xcalloc"); exit(1); } return (p); } /* * rfc1738_escape - Returns a static buffer contains the RFC 1738 * compliant, escaped version of the given url. */ static char * rfc1738_do_escape(const char *url, int encode_reserved) { static char *buf; static size_t bufsize = 0; const char *p; char *q; unsigned int i, do_escape; if (buf == NULL || strlen(url) * 3 > bufsize) { xfree(buf); bufsize = strlen(url) * 3 + 1; buf = xcalloc(bufsize, 1); } for (p = url, q = buf; *p != '\0'; p++, q++) { do_escape = 0; /* RFC 1738 defines these chars as unsafe */ for (i = 0; i < sizeof(rfc1738_unsafe_chars); i++) { if (*p == rfc1738_unsafe_chars[i]) { do_escape = 1; break; } } /* Handle % separately */ if (encode_reserved >= 0 && *p == '%') do_escape = 1; /* RFC 1738 defines these chars as reserved */ for (i = 0; i < sizeof(rfc1738_reserved_chars) && encode_reserved > 0; i ++) { if (*p == rfc1738_reserved_chars[i]) { do_escape = 1; break; } } /* RFC 1738 says any control chars (0x00-0x1F) are encoded */ if ((unsigned char) *p <= (unsigned char) 0x1F) { do_escape = 1; } /* RFC 1738 says 0x7f is encoded */ if (*p == (char) 0x7F) { do_escape = 1; } /* RFC 1738 says any non-US-ASCII are encoded */ if (((unsigned char) *p >= (unsigned char) 0x80)) { do_escape = 1; } /* Do the triplet encoding, or just copy the char */ /* note: we do not need snprintf here as q is appropriately * allocated - KA */ if (do_escape == 1) { (void) sprintf(q, "%%%02X", (unsigned char) *p); q += sizeof(char) * 2; } else { *q = *p; } } *q = '\0'; return (buf); } /* * rfc1738_escape - Returns a static buffer that contains the RFC * 1738 compliant, escaped version of the given url. */ char * rfc1738_escape(const char *url) { return rfc1738_do_escape(url, 0); } /* * rfc1738_escape_unescaped - Returns a static buffer that contains * the RFC 1738 compliant, escaped version of the given url. */ char * rfc1738_escape_unescaped(const char *url) { return rfc1738_do_escape(url, -1); } /* * rfc1738_escape_part - Returns a static buffer that contains the * RFC 1738 compliant, escaped version of the given url segment. */ char * rfc1738_escape_part(const char *url) { return rfc1738_do_escape(url, 1); } /* * rfc1738_unescape() - Converts escaped characters (%xy numbers) in * given the string. %% is a %. %ab is the 8-bit hexadecimal number "ab" */ void rfc1738_unescape(char *s) { char hexnum[3]; int i, j; /* i is write, j is read */ unsigned int x; for (i = j = 0; s[j]; i++, j++) { s[i] = s[j]; if (s[i] != '%') continue; if (s[j + 1] == '%') { /* %% case */ j++; continue; } if (s[j + 1] && s[j + 2]) { if (s[j + 1] == '0' && s[j + 2] == '0') { /* %00 case */ j += 2; continue; } hexnum[0] = s[j + 1]; hexnum[1] = s[j + 2]; hexnum[2] = '\0'; if (1 == sscanf(hexnum, "%x", &x)) { s[i] = (char) (0x0ff & x); j += 2; } } } s[i] = '\0'; } #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823 static int squid_ldap_errno(LDAP * ld) { int err = 0; ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); return err; } static void squid_ldap_set_aliasderef(LDAP * ld, int deref) { ldap_set_option(ld, LDAP_OPT_DEREF, &deref); } static void squid_ldap_set_referrals(LDAP * ld, int referrals) { int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; ldap_set_option(ld, LDAP_OPT_REFERRALS, value); } static void squid_ldap_set_timelimit(LDAP * ld, int timelimit) { ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); } static void squid_ldap_set_connect_timeout(LDAP * ld, int timelimit) { #if defined(LDAP_OPT_NETWORK_TIMEOUT) struct timeval tv; tv.tv_sec = timelimit; tv.tv_usec = 0; ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT) timelimit *= 1000; ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit); #endif } static void squid_ldap_memfree(char *p) { ldap_memfree(p); } #else static int squid_ldap_errno(LDAP * ld) { return ld->ld_errno; } static void squid_ldap_set_aliasderef(LDAP * ld, int deref) { ld->ld_deref = deref; } static void squid_ldap_set_referrals(LDAP * ld, int referrals) { if (referrals) ld->ld_options |= ~LDAP_OPT_REFERRALS; else ld->ld_options &= ~LDAP_OPT_REFERRALS; } static void squid_ldap_set_timelimit(LDAP * ld, int timelimit) { ld->ld_timelimit = timelimit; } static void squid_ldap_set_connect_timeout(LDAP * ld, int timelimit) { fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); } static void squid_ldap_memfree(char *p) { free(p); } #endif static LDAP * open_ldap_connection(const char *ldapServer, int port) { LDAP *ld = NULL; if ((ld = ldap_init(ldapServer, port)) == NULL) { fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port); exit(1); } if (connect_timeout) squid_ldap_set_connect_timeout(ld, connect_timeout); #ifdef LDAP_VERSION3 if (version == -1) { version = LDAP_VERSION2; } if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_SUCCESS ) { fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", version); exit(1); } #endif squid_ldap_set_timelimit(ld, timelimit); squid_ldap_set_referrals(ld, !noreferrals); squid_ldap_set_aliasderef(ld, aliasderef); return ld; } /* Check the userid & password. * Return 0 on success, 1 on failure */ static int checkLDAP(const char *userid, const char *password, const char *ldapServer, int port) { char dn[1024]; int ret = 0; LDAP *bind_ld = NULL; if (!*password) { /* LDAP can't bind with a blank password. Seen as "anonymous" * and always granted access */ if (debug) fprintf(stderr, "Blank password given\n"); return 1; } snprintf(dn, sizeof(dn), "CN=%s,OU=your_unit,DC=your_domain,DC=com", userid); if (debug) fprintf(stderr, "Attempting to authenticate user '%s'\n", dn); bind_ld = open_ldap_connection(ldapServer, port); if(bind_ld==NULL) { if (debug) fprintf(stderr, "Cannot connect to server %s \n",ldapServer); return 1; } if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS) ret = 1; ldap_unbind(bind_ld); bind_ld = NULL; return ret; } /* Make a sanity check on the username to reject oddly typed names */ static int validUsername(const char *user) { const unsigned char *p = (const unsigned char *) user; /* Leading whitespace? */ if (xisspace(p[0])) return 0; while (p[0] && p[1]) { if (xisspace(p[0])) { /* More than one consequitive space? */ if (xisspace(p[1])) return 0; /* or odd space type character used? */ if (p[0] != ' ') return 0; } p++; } /* Trailing whitespace? */ if (xisspace(p[0])) return 0; return 1; } int main(int argc, char **argv) { char buf[1024]; char *user, *passwd; char ldapServer[32]; int tryagain; int port = LDAP_PORT; setbuf(stdout, NULL); if (argc > 2) { strncpy(ldapServer,argv[2],31); debug++; } else if(argc==2) { strncpy(ldapServer,argv[1],31); } else { fprintf(stderr, "Usage: " PROGRAM_NAME " [-d] ldap_server_name\n"); exit(1); } while (fgets(buf, sizeof(buf), stdin) != NULL) { user = strtok(buf, " \r\n"); passwd = strtok(NULL, "\r\n"); if (!user || !passwd || !passwd[0]) { printf("ERR\n"); continue; } if (debug) fprintf(stderr, "User: %s Password: %s \n",user,passwd ); rfc1738_unescape(user); rfc1738_unescape(passwd); if (!validUsername(user)) { printf("ERR Bad user name\n"); continue; } if(checkcache(user,passwd)>=0) { if (debug) fprintf(stderr, "User %s found in cache\n",user ); printf("OK\n"); continue; } if (checkLDAP(user, passwd, ldapServer, port) != 0) { printf("ERR\n"); } else { printf("OK\n"); if(cached>=MAX_USERS) continue; strncpy(users[cached].name,user,15); strncpy(users[cached].pwtext,passwd,15); cached++; } } return 0; } |