2 * Copyright (c) 2001-2009 Proofpoint, Inc. and its suppliers.
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
10 /* some "deprecated" calls are used, e.g., ldap_get_values() */
11 #define LDAP_DEPRECATED 1
14 SM_RCSID("@(#)$Id: ldap.c,v 1.86 2013-11-22 20:51:43 ca Exp $")
17 # include <sys/types.h>
23 # include <sm/bitops.h>
24 # include <sm/clock.h>
26 # include <sm/debug.h>
27 # include <sm/errstring.h>
29 # include <sm/string.h>
31 # undef EX_OK /* for SVr4.2 SMP */
33 # include <sm/sysexits.h>
35 SM_DEBUG_T SmLDAPTrace = SM_DEBUG_INITIALIZER("sm_trace_ldap",
36 "@(#)$Debug: sm_trace_ldap - trace LDAP operations $");
38 static bool sm_ldap_has_objectclass __P((SM_LDAP_STRUCT *, LDAPMessage *, char *));
39 static SM_LDAP_RECURSE_ENTRY *sm_ldap_add_recurse __P((SM_LDAP_RECURSE_LIST **, char *, int, SM_RPOOL_T *));
42 ** SM_LDAP_CLEAR -- set default values for SM_LDAP_STRUCT
45 ** lmap -- pointer to SM_LDAP_STRUCT to clear
53 # if defined(LDAP_VERSION_MAX) && _FFR_LDAP_VERSION > LDAP_VERSION_MAX
54 ERROR FFR_LDAP_VERSION > _LDAP_VERSION_MAX
56 # if defined(LDAP_VERSION_MIN) && _FFR_LDAP_VERSION < LDAP_VERSION_MIN
57 ERROR FFR_LDAP_VERSION < _LDAP_VERSION_MIN
59 # define SM_LDAP_VERSION_DEFAULT _FFR_LDAP_VERSION
60 #else /* _FFR_LDAP_VERSION */
61 # define SM_LDAP_VERSION_DEFAULT 0
62 #endif /* _FFR_LDAP_VERSION */
71 lmap->ldap_host = NULL;
72 lmap->ldap_port = LDAP_PORT;
73 lmap->ldap_uri = NULL;
74 lmap->ldap_version = SM_LDAP_VERSION_DEFAULT;
75 lmap->ldap_deref = LDAP_DEREF_NEVER;
76 lmap->ldap_timelimit = LDAP_NO_LIMIT;
77 lmap->ldap_sizelimit = LDAP_NO_LIMIT;
78 # ifdef LDAP_REFERRALS
79 lmap->ldap_options = LDAP_OPT_REFERRALS;
81 lmap->ldap_options = 0;
83 lmap->ldap_attrsep = '\0';
84 lmap->ldap_binddn = NULL;
85 lmap->ldap_secret = NULL;
86 lmap->ldap_method = LDAP_AUTH_SIMPLE;
87 lmap->ldap_base = NULL;
88 lmap->ldap_scope = LDAP_SCOPE_SUBTREE;
89 lmap->ldap_attrsonly = LDAPMAP_FALSE;
90 lmap->ldap_timeout.tv_sec = 0;
91 lmap->ldap_timeout.tv_usec = 0;
93 lmap->ldap_filter = NULL;
94 lmap->ldap_attr[0] = NULL;
95 lmap->ldap_attr_type[0] = SM_LDAP_ATTR_NONE;
96 lmap->ldap_attr_needobjclass[0] = NULL;
97 lmap->ldap_res = NULL;
98 lmap->ldap_next = NULL;
100 lmap->ldap_multi_args = false;
103 # if _FFR_SM_LDAP_DBG && defined(LBER_OPT_LOG_PRINT_FN)
104 static void ldap_debug_cb __P((const char *msg));
110 if (sm_debug_active(&SmLDAPTrace, 4))
111 sm_dprintf("%s", msg);
113 # endif /* _FFR_SM_LDAP_DBG && defined(LBER_OPT_LOG_PRINT_FN) */
116 # if LDAP_NETWORK_TIMEOUT && defined(LDAP_OPT_NETWORK_TIMEOUT)
117 # define SET_LDAP_TMO(ld, lmap) \
120 if (lmap->ldap_networktmo > 0) \
122 struct timeval tmo; \
124 if (sm_debug_active(&SmLDAPTrace, 9)) \
125 sm_dprintf("ldap_networktmo=%d\n", \
126 lmap->ldap_networktmo); \
127 tmo.tv_sec = lmap->ldap_networktmo; \
129 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tmo); \
132 # else /* LDAP_NETWORK_TIMEOUT && defined(LDAP_OPT_NETWORK_TIMEOUT) */
133 # define SET_LDAP_TMO(ld, lmap)
134 # endif /* LDAP_NETWORK_TIMEOUT && defined(LDAP_OPT_NETWORK_TIMEOUT) */
137 ** SM_LDAP_SETOPTSG -- set some (global) LDAP options
140 ** lmap -- LDAP map information
147 # if _FFR_SM_LDAP_DBG
148 static bool dbg_init = false;
150 # if SM_CONF_LDAP_INITIALIZE
151 static void sm_ldap_setoptsg __P((SM_LDAP_STRUCT *lmap));
153 sm_ldap_setoptsg(lmap)
154 SM_LDAP_STRUCT *lmap;
156 # if USE_LDAP_SET_OPTION
158 SET_LDAP_TMO(NULL, lmap);
160 # if _FFR_SM_LDAP_DBG
161 if (!dbg_init && sm_debug_active(&SmLDAPTrace, 1) &&
162 lmap->ldap_debug != 0)
165 # if defined(LBER_OPT_LOG_PRINT_FN)
166 r = ber_set_option(NULL, LBER_OPT_LOG_PRINT_FN, ldap_debug_cb);
168 if (sm_debug_active(&SmLDAPTrace, 9))
169 sm_dprintf("ldap_debug0=%d\n", lmap->ldap_debug);
170 r = ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL,
171 &(lmap->ldap_debug));
172 if (sm_debug_active(&SmLDAPTrace, 9) && r != LDAP_OPT_SUCCESS)
173 sm_dprintf("ber_set_option=%d\n", r);
174 r = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL,
175 &(lmap->ldap_debug));
176 if (sm_debug_active(&SmLDAPTrace, 9) && r != LDAP_OPT_SUCCESS)
177 sm_dprintf("ldap_set_option=%d\n", r);
180 # endif /* _FFR_SM_LDAP_DBG */
181 # endif /* USE_LDAP_SET_OPTION */
183 # endif /* SM_CONF_LDAP_INITIALIZE */
186 ** SM_LDAP_SETOPTS -- set LDAP options
189 ** ld -- LDAP session handle
190 ** lmap -- LDAP map information
198 sm_ldap_setopts(ld, lmap)
200 SM_LDAP_STRUCT *lmap;
202 # if USE_LDAP_SET_OPTION
203 if (lmap->ldap_version != 0)
205 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
206 &lmap->ldap_version);
208 ldap_set_option(ld, LDAP_OPT_DEREF, &lmap->ldap_deref);
209 if (bitset(LDAP_OPT_REFERRALS, lmap->ldap_options))
210 ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
212 ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
213 ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &lmap->ldap_sizelimit);
214 ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &lmap->ldap_timelimit);
215 SET_LDAP_TMO(ld, lmap);
216 # if _FFR_SM_LDAP_DBG
217 if ((!dbg_init || ld != NULL) && sm_debug_active(&SmLDAPTrace, 1)
218 && lmap->ldap_debug > 0)
222 if (sm_debug_active(&SmLDAPTrace, 9))
223 sm_dprintf("ldap_debug=%d, dbg_init=%d\n",
224 lmap->ldap_debug, dbg_init);
225 r = ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL,
226 &(lmap->ldap_debug));
227 if (sm_debug_active(&SmLDAPTrace, 9) && r != LDAP_OPT_SUCCESS)
228 sm_dprintf("ldap_set_option=%d\n", r);
230 # endif /* _FFR_SM_LDAP_DBG */
231 # ifdef LDAP_OPT_RESTART
232 ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
235 # else /* USE_LDAP_SET_OPTION */
236 /* From here on in we can use ldap internal timelimits */
237 ld->ld_deref = lmap->ldap_deref;
238 ld->ld_options = lmap->ldap_options;
239 ld->ld_sizelimit = lmap->ldap_sizelimit;
240 ld->ld_timelimit = lmap->ldap_timelimit;
241 # endif /* USE_LDAP_SET_OPTION */
245 ** SM_LDAP_START -- actually connect to an LDAP server
248 ** name -- name of map for debug output.
249 ** lmap -- the LDAP map being opened.
252 ** true if connection is successful, false otherwise.
255 ** Populates lmap->ldap_ld.
258 # if !USE_LDAP_INIT || !LDAP_NETWORK_TIMEOUT
259 static jmp_buf LDAPTimeout;
260 static void ldaptimeout __P((int));
268 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD
269 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
274 longjmp(LDAPTimeout, 1);
278 #define SM_LDAP_SETTIMEOUT(to, where) \
283 if (setjmp(LDAPTimeout) != 0) \
285 if (sm_debug_active(&SmLDAPTrace, 9)) \
286 sm_dprintf("ldap_settimeout(%s)=triggered\n",\
291 ev = sm_setevent(to, ldaptimeout, 0); \
295 #define SM_LDAP_CLEARTIMEOUT() \
301 #endif /* !USE_LDAP_INIT || !LDAP_NETWORK_TIMEOUT */
304 sm_ldap_start(name, lmap)
306 SM_LDAP_STRUCT *lmap;
310 # if !USE_LDAP_INIT || !LDAP_NETWORK_TIMEOUT
317 if (sm_debug_active(&SmLDAPTrace, 2))
318 sm_dprintf("ldapmap_start(%s)\n", name == NULL ? "" : name);
320 if (lmap->ldap_host != NULL)
321 id = lmap->ldap_host;
322 else if (lmap->ldap_uri != NULL)
327 if (sm_debug_active(&SmLDAPTrace, 9))
329 /* Don't print a port number for LDAP URIs */
330 if (lmap->ldap_uri != NULL)
331 sm_dprintf("ldapmap_start(%s)\n", id);
333 sm_dprintf("ldapmap_start(%s, %d)\n", id,
337 if (lmap->ldap_uri != NULL)
339 #if SM_CONF_LDAP_INITIALIZE
340 if (sm_debug_active(&SmLDAPTrace, 9))
341 sm_dprintf("ldap_initialize(%s)\n", lmap->ldap_uri);
342 /* LDAP server supports URIs so use them directly */
343 save_errno = ldap_initialize(&ld, lmap->ldap_uri);
344 if (sm_debug_active(&SmLDAPTrace, 9))
345 sm_dprintf("ldap_initialize(%s)=%d, ld=%p\n", lmap->ldap_uri, save_errno, ld);
346 sm_ldap_setoptsg(lmap);
348 #else /* SM_CONF_LDAP_INITIALIZE */
349 LDAPURLDesc *ludp = NULL;
351 /* Blast apart URL and use the ldap_init/ldap_open below */
352 err = ldap_url_parse(lmap->ldap_uri, &ludp);
355 errno = err + E_LDAPURLBASE;
358 lmap->ldap_host = sm_strdup_x(ludp->lud_host);
359 if (lmap->ldap_host == NULL)
362 ldap_free_urldesc(ludp);
366 lmap->ldap_port = ludp->lud_port;
367 ldap_free_urldesc(ludp);
368 #endif /* SM_CONF_LDAP_INITIALIZE */
374 if (sm_debug_active(&SmLDAPTrace, 9))
375 sm_dprintf("ldap_init(%s, %d)\n", lmap->ldap_host, lmap->ldap_port);
376 ld = ldap_init(lmap->ldap_host, lmap->ldap_port);
379 # else /* USE_LDAP_INIT */
381 ** If using ldap_open(), the actual connection to the server
382 ** happens now so we need the timeout here. For ldap_init(),
383 ** the connection happens at bind time.
386 if (sm_debug_active(&SmLDAPTrace, 9))
387 sm_dprintf("ldap_open(%s, %d)\n", lmap->ldap_host, lmap->ldap_port);
389 SM_LDAP_SETTIMEOUT(lmap->ldap_timeout.tv_sec, "ldap_open");
390 ld = ldap_open(lmap->ldap_host, lmap->ldap_port);
393 /* clear the event if it has not sprung */
394 SM_LDAP_CLEARTIMEOUT();
395 # endif /* USE_LDAP_INIT */
401 if (sm_debug_active(&SmLDAPTrace, 7))
402 sm_dprintf("FAIL: ldap_open(%s, %d)=%d\n", lmap->ldap_host, lmap->ldap_port, save_errno);
406 sm_ldap_setopts(ld, lmap);
407 # if USE_LDAP_INIT && !LDAP_NETWORK_TIMEOUT
409 ** If using ldap_init(), the actual connection to the server
410 ** happens at ldap_bind_s() so we need the timeout here.
413 SM_LDAP_SETTIMEOUT(lmap->ldap_timeout.tv_sec, "ldap_bind");
414 # endif /* USE_LDAP_INIT && !LDAP_NETWORK_TIMEOUT */
416 # ifdef LDAP_AUTH_KRBV4
417 if (lmap->ldap_method == LDAP_AUTH_KRBV4 &&
418 lmap->ldap_secret != NULL)
421 ** Need to put ticket in environment here instead of
422 ** during parseargs as there may be different tickets
423 ** for different LDAP connections.
426 (void) putenv(lmap->ldap_secret);
428 # endif /* LDAP_AUTH_KRBV4 */
430 # if LDAP_NETWORK_TIMEOUT
431 tmo.tv_sec = lmap->ldap_networktmo;
433 tmo.tv_sec = lmap->ldap_timeout.tv_sec;
437 if (sm_debug_active(&SmLDAPTrace, 9))
438 sm_dprintf("ldap_bind(%s)\n", lmap->ldap_uri);
440 msgid = ldap_bind(ld, lmap->ldap_binddn, lmap->ldap_secret,
443 if (sm_debug_active(&SmLDAPTrace, 9))
444 sm_dprintf("ldap_bind(%s)=%d, errno=%d, tmo=%ld\n",
445 lmap->ldap_uri, msgid, save_errno,
454 r = ldap_result(ld, msgid, LDAP_MSG_ALL,
455 tmo.tv_sec == 0 ? NULL : &(tmo), &(lmap->ldap_res));
456 if (sm_debug_active(&SmLDAPTrace, 9))
457 sm_dprintf("ldap_result(%s)=%d, errno=%d\n", lmap->ldap_uri, r, errno);
462 save_errno = ETIMEDOUT;
466 r = ldap_parse_result(ld, lmap->ldap_res, &err, NULL, NULL, NULL, NULL,
468 if (sm_debug_active(&SmLDAPTrace, 9))
469 sm_dprintf("ldap_parse_result(%s)=%d, err=%d\n", lmap->ldap_uri, r, err);
470 if (r != LDAP_SUCCESS)
472 if (err != LDAP_SUCCESS)
478 # if USE_LDAP_INIT && !LDAP_NETWORK_TIMEOUT
479 /* clear the event if it has not sprung */
480 SM_LDAP_CLEARTIMEOUT();
481 if (sm_debug_active(&SmLDAPTrace, 9))
482 sm_dprintf("ldap_cleartimeout(%s)\n", lmap->ldap_uri);
483 # endif /* USE_LDAP_INIT && !LDAP_NETWORK_TIMEOUT */
485 if (r != LDAP_SUCCESS)
491 errno = r + E_LDAPBASE;
495 /* Save PID to make sure only this PID closes the LDAP connection */
496 lmap->ldap_pid = getpid();
502 ** SM_LDAP_SEARCH_M -- initiate multi-key LDAP search
504 ** Initiate an LDAP search, return the msgid.
505 ** The calling function must collect the results.
508 ** lmap -- LDAP map information
509 ** argv -- key vector of substitutions in LDAP filter
510 ** NOTE: argv must have SM_LDAP_ARGS elements to prevent
511 ** out of bound array references
514 ** <0 on failure (SM_LDAP_ERR*), msgid on success
519 sm_ldap_search_m(lmap, argv)
520 SM_LDAP_STRUCT *lmap;
525 char filter[LDAPMAP_MAX_FILTER + 1];
527 SM_REQUIRE(lmap != NULL);
528 SM_REQUIRE(argv != NULL);
529 SM_REQUIRE(argv[0] != NULL);
531 memset(filter, '\0', sizeof filter);
533 p = lmap->ldap_filter;
534 while ((q = strchr(p, '%')) != NULL)
538 if (lmap->ldap_multi_args)
540 #if SM_LDAP_ARGS < 10
541 # ERROR _SM_LDAP_ARGS must be 10
542 #endif /* SM_LDAP_ARGS < 10 */
545 else if (q[1] >= '0' && q[1] <= '9')
547 key = argv[q[1] - '0'];
550 # if SM_LDAP_ERROR_ON_MISSING_ARGS
551 return SM_LDAP_ERR_ARG_MISS;
552 # else /* SM_LDAP_ERROR_ON_MISSING_ARGS */
554 # endif /* SM_LDAP_ERROR_ON_MISSING_ARGS */
565 (void) sm_snprintf(fp, SPACELEFT(filter, fp),
566 "%.*s%s", (int) (q - p), p, key);
570 else if (q[1] == '0' ||
571 (lmap->ldap_multi_args && q[1] >= '0' && q[1] <= '9'))
575 (void) sm_snprintf(fp, SPACELEFT(filter, fp),
576 "%.*s", (int) (q - p), p);
580 /* Properly escape LDAP special characters */
581 while (SPACELEFT(filter, fp) > 0 &&
584 if (*k == '*' || *k == '(' ||
585 *k == ')' || *k == '\\')
587 (void) sm_strlcat(fp,
588 (*k == '*' ? "\\2A" :
589 (*k == '(' ? "\\28" :
590 (*k == ')' ? "\\29" :
591 (*k == '\\' ? "\\5C" :
593 SPACELEFT(filter, fp));
603 (void) sm_snprintf(fp, SPACELEFT(filter, fp),
604 "%.*s", (int) (q - p + 1), p);
605 p = q + (q[1] == '%' ? 2 : 1);
609 (void) sm_strlcpy(fp, p, SPACELEFT(filter, fp));
610 if (sm_debug_active(&SmLDAPTrace, 20))
611 sm_dprintf("ldap search filter=%s\n", filter);
613 lmap->ldap_res = NULL;
614 msgid = ldap_search(lmap->ldap_ld, lmap->ldap_base,
615 lmap->ldap_scope, filter,
616 (lmap->ldap_attr[0] == NULL ? NULL :
618 lmap->ldap_attrsonly);
623 ** SM_LDAP_SEARCH -- initiate LDAP search
625 ** Initiate an LDAP search, return the msgid.
626 ** The calling function must collect the results.
627 ** Note this is just a wrapper into sm_ldap_search_m()
630 ** lmap -- LDAP map information
631 ** key -- key to substitute in LDAP filter
634 ** <0 on failure, msgid on success
639 sm_ldap_search(lmap, key)
640 SM_LDAP_STRUCT *lmap;
643 char *argv[SM_LDAP_ARGS];
645 memset(argv, '\0', sizeof argv);
647 return sm_ldap_search_m(lmap, argv);
651 ** SM_LDAP_HAS_OBJECTCLASS -- determine if an LDAP entry is part of a
652 ** particular objectClass
655 ** lmap -- pointer to SM_LDAP_STRUCT in use
656 ** entry -- current LDAP entry struct
657 ** ocvalue -- particular objectclass in question.
658 ** may be of form (fee|foo|fum) meaning
659 ** any entry can be part of either fee,
660 ** foo or fum objectclass
663 ** true if item has that objectClass
667 sm_ldap_has_objectclass(lmap, entry, ocvalue)
668 SM_LDAP_STRUCT *lmap;
678 vals = ldap_get_values(lmap->ldap_ld, entry, "objectClass");
682 for (i = 0; vals[i] != NULL; i++)
690 while (*p != '\0' && *p != '|')
693 if ((p - q) == strlen(vals[i]) &&
694 sm_strncasecmp(vals[i], q, p - q) == 0)
696 ldap_value_free(vals);
706 ldap_value_free(vals);
711 ** SM_LDAP_RESULTS -- return results from an LDAP lookup in result
714 ** lmap -- pointer to SM_LDAP_STRUCT in use
715 ** msgid -- msgid returned by sm_ldap_search()
716 ** flags -- flags for the lookup
717 ** delim -- delimiter for result concatenation
718 ** rpool -- memory pool for storage
719 ** result -- return string
720 ** recurse -- recursion list
726 # define SM_LDAP_ERROR_CLEANUP() \
728 if (lmap->ldap_res != NULL) \
730 ldap_msgfree(lmap->ldap_res); \
731 lmap->ldap_res = NULL; \
733 (void) ldap_abandon(lmap->ldap_ld, msgid); \
736 static SM_LDAP_RECURSE_ENTRY *
737 sm_ldap_add_recurse(top, item, type, rpool)
738 SM_LDAP_RECURSE_LIST **top;
750 SM_LDAP_RECURSE_ENTRY *newe;
751 SM_LDAP_RECURSE_ENTRY **olddata;
754 ** This code will maintain a list of
755 ** SM_LDAP_RECURSE_ENTRY structures
756 ** in ascending order.
761 /* Allocate an initial SM_LDAP_RECURSE_LIST struct */
762 *top = sm_rpool_malloc_x(rpool, sizeof **top);
764 (*top)->lrl_size = 0;
765 (*top)->lrl_data = NULL;
768 if ((*top)->lrl_cnt >= (*top)->lrl_size)
770 /* Grow the list of SM_LDAP_RECURSE_ENTRY ptrs */
771 olddata = (*top)->lrl_data;
772 if ((*top)->lrl_size == 0)
775 (*top)->lrl_size = 256;
779 oldsizeb = (*top)->lrl_size * sizeof *((*top)->lrl_data);
780 (*top)->lrl_size *= 2;
782 (*top)->lrl_data = sm_rpool_malloc_x(rpool,
783 (*top)->lrl_size * sizeof *((*top)->lrl_data));
785 memcpy((*top)->lrl_data, olddata, oldsizeb);
789 ** Binary search/insert item:type into list.
790 ** Return current entry pointer if already exists.
794 m = (*top)->lrl_cnt - 1;
800 while (insertat == -1)
804 rc = sm_strcasecmp(item, (*top)->lrl_data[p]->lr_search);
806 rc = type - (*top)->lrl_data[p]->lr_type;
813 return (*top)->lrl_data[p];
817 else if (n >= (*top)->lrl_cnt)
818 insertat = (*top)->lrl_cnt;
824 ** Not found in list, make room
825 ** at insert point and add it.
828 newe = sm_rpool_malloc_x(rpool, sizeof *newe);
831 moveb = ((*top)->lrl_cnt - insertat) * sizeof *((*top)->lrl_data);
833 memmove(&((*top)->lrl_data[insertat + 1]),
834 &((*top)->lrl_data[insertat]),
837 newe->lr_search = sm_rpool_strdup_x(rpool, item);
838 newe->lr_type = type;
839 newe->lr_ludp = NULL;
840 newe->lr_attrs = NULL;
841 newe->lr_done = false;
843 ((*top)->lrl_data)[insertat] = newe;
850 sm_ldap_results(lmap, msgid, flags, delim, rpool, result,
851 resultln, resultsz, recurse)
852 SM_LDAP_STRUCT *lmap;
860 SM_LDAP_RECURSE_LIST *recurse;
869 SM_LDAP_RECURSE_ENTRY *rl;
871 /* Are we the top top level of the search? */
872 toplevel = (recurse == NULL);
876 while ((ret = ldap_result(lmap->ldap_ld, msgid, 0,
877 (lmap->ldap_timeout.tv_sec == 0 ? NULL :
878 &(lmap->ldap_timeout)),
879 &(lmap->ldap_res))) == LDAP_RES_SEARCH_ENTRY)
883 /* If we don't want multiple values and we have one, break */
884 if ((char) delim == '\0' &&
885 !bitset(SM_LDAP_SINGLEMATCH, flags) &&
889 /* Cycle through all entries */
890 for (entry = ldap_first_entry(lmap->ldap_ld, lmap->ldap_res);
892 entry = ldap_next_entry(lmap->ldap_ld, lmap->ldap_res))
900 ** If matching only and found an entry,
901 ** no need to spin through attributes
904 if (bitset(SM_LDAP_MATCHONLY, flags))
910 #if _FFR_LDAP_SINGLEDN
911 if (bitset(SM_LDAP_SINGLEDN, flags) && *result != NULL)
913 /* only wanted one match */
914 SM_LDAP_ERROR_CLEANUP();
918 #endif /* _FFR_LDAP_SINGLEDN */
920 /* record completed DN's to prevent loops */
921 dn = ldap_get_dn(lmap->ldap_ld, entry);
924 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
925 save_errno += E_LDAPBASE;
926 SM_LDAP_ERROR_CLEANUP();
931 rl = sm_ldap_add_recurse(&recurse, dn,
938 SM_LDAP_ERROR_CLEANUP();
942 else if (rl->lr_done)
944 /* already on list, skip it */
950 # if !defined(LDAP_VERSION_MAX) && !defined(LDAP_OPT_SIZELIMIT)
952 ** Reset value to prevent lingering
953 ** LDAP_DECODING_ERROR due to
954 ** OpenLDAP 1.X's hack (see below)
957 lmap->ldap_ld->ld_errno = LDAP_SUCCESS;
958 # endif /* !defined(LDAP_VERSION_MAX) !defined(LDAP_OPT_SIZELIMIT) */
960 for (attr = ldap_first_attribute(lmap->ldap_ld, entry,
963 attr = ldap_next_attribute(lmap->ldap_ld, entry,
968 char *needobjclass = NULL;
970 type = SM_LDAP_ATTR_NONE;
971 for (i = 0; lmap->ldap_attr[i] != NULL; i++)
973 if (sm_strcasecmp(lmap->ldap_attr[i],
976 type = lmap->ldap_attr_type[i];
977 needobjclass = lmap->ldap_attr_needobjclass[i];
982 if (bitset(SM_LDAP_USE_ALLATTR, flags) &&
983 type == SM_LDAP_ATTR_NONE)
985 /* URL lookups specify attrs to use */
986 type = SM_LDAP_ATTR_NORMAL;
990 if (type == SM_LDAP_ATTR_NONE)
992 /* attribute not requested */
994 SM_LDAP_ERROR_CLEANUP();
1000 ** For recursion on a particular attribute,
1001 ** we may need to see if this entry is
1002 ** part of a particular objectclass.
1003 ** Also, ignore objectClass attribute.
1004 ** Otherwise we just ignore this attribute.
1007 if (type == SM_LDAP_ATTR_OBJCLASS ||
1008 (needobjclass != NULL &&
1009 !sm_ldap_has_objectclass(lmap, entry,
1016 if (lmap->ldap_attrsonly == LDAPMAP_FALSE)
1018 vals = ldap_get_values(lmap->ldap_ld,
1023 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
1024 if (save_errno == LDAP_SUCCESS)
1030 /* Must be an error */
1031 save_errno += E_LDAPBASE;
1033 SM_LDAP_ERROR_CLEANUP();
1041 # if !defined(LDAP_VERSION_MAX) && !defined(LDAP_OPT_SIZELIMIT)
1043 ** Reset value to prevent lingering
1044 ** LDAP_DECODING_ERROR due to
1045 ** OpenLDAP 1.X's hack (see below)
1048 lmap->ldap_ld->ld_errno = LDAP_SUCCESS;
1049 # endif /* !defined(LDAP_VERSION_MAX) !defined(LDAP_OPT_SIZELIMIT) */
1052 ** If matching only,
1053 ** no need to spin through entries
1056 if (bitset(SM_LDAP_MATCHONLY, flags))
1058 if (lmap->ldap_attrsonly == LDAPMAP_FALSE)
1059 ldap_value_free(vals);
1065 ** If we don't want multiple values,
1066 ** return first found.
1069 if ((char) delim == '\0')
1071 if (*result != NULL)
1073 /* already have a value */
1074 if (bitset(SM_LDAP_SINGLEMATCH,
1077 /* only wanted one match */
1078 SM_LDAP_ERROR_CLEANUP();
1085 if (lmap->ldap_attrsonly == LDAPMAP_TRUE)
1087 *result = sm_rpool_strdup_x(rpool,
1093 if (vals[0] == NULL)
1095 ldap_value_free(vals);
1100 vsize = strlen(vals[0]) + 1;
1101 if (lmap->ldap_attrsep != '\0')
1102 vsize += strlen(attr) + 1;
1103 *result = sm_rpool_malloc_x(rpool,
1105 if (lmap->ldap_attrsep != '\0')
1106 sm_snprintf(*result, vsize,
1112 sm_strlcpy(*result, vals[0],
1114 ldap_value_free(vals);
1119 /* attributes only */
1120 if (lmap->ldap_attrsonly == LDAPMAP_TRUE)
1122 if (*result == NULL)
1123 *result = sm_rpool_strdup_x(rpool,
1127 if (bitset(SM_LDAP_SINGLEMATCH,
1131 /* only wanted one match */
1132 SM_LDAP_ERROR_CLEANUP();
1137 vsize = strlen(*result) +
1139 tmp = sm_rpool_malloc_x(rpool,
1141 (void) sm_snprintf(tmp,
1143 *result, (char) delim,
1152 ** If there is more than one, munge then
1153 ** into a map_coldelim separated string.
1154 ** If we are recursing we may have an entry
1155 ** with no 'normal' values to put in the
1157 ** This is not an error.
1160 if (type == SM_LDAP_ATTR_NORMAL &&
1161 bitset(SM_LDAP_SINGLEMATCH, flags) &&
1164 /* only wanted one match */
1165 SM_LDAP_ERROR_CLEANUP();
1171 for (i = 0; vals[i] != NULL; i++)
1173 if (type == SM_LDAP_ATTR_DN ||
1174 type == SM_LDAP_ATTR_FILTER ||
1175 type == SM_LDAP_ATTR_URL)
1177 /* add to recursion */
1178 if (sm_ldap_add_recurse(&recurse,
1183 SM_LDAP_ERROR_CLEANUP();
1190 vsize += strlen(vals[i]) + 1;
1191 if (lmap->ldap_attrsep != '\0')
1192 vsize += strlen(attr) + 1;
1196 ** Create/Append to string any normal
1197 ** attribute values. Otherwise, just free
1198 ** memory and move on to the next
1199 ** attribute in this entry.
1202 if (type == SM_LDAP_ATTR_NORMAL && vsize > 0)
1206 /* Grow result string if needed */
1207 if ((*resultln + vsize) >= *resultsz)
1209 while ((*resultln + vsize) >= *resultsz)
1217 vp_tmp = sm_rpool_malloc_x(rpool, *resultsz);
1220 if (*result != NULL)
1227 p = *result + *resultln;
1228 pe = *result + *resultsz;
1230 for (i = 0; vals[i] != NULL; i++)
1232 if (*resultln > 0 &&
1234 *p++ = (char) delim;
1236 if (lmap->ldap_attrsep != '\0')
1238 p += sm_strlcpy(p, attr,
1241 *p++ = lmap->ldap_attrsep;
1244 p += sm_strlcpy(p, vals[i],
1246 *resultln = p - (*result);
1249 /* Internal error: buffer too small for LDAP values */
1250 SM_LDAP_ERROR_CLEANUP();
1257 ldap_value_free(vals);
1260 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
1263 ** We check save_errno != LDAP_DECODING_ERROR since
1264 ** OpenLDAP 1.X has a very ugly *undocumented*
1265 ** hack of returning this error code from
1266 ** ldap_next_attribute() if the library freed the
1267 ** ber attribute. See:
1268 ** http://www.openldap.org/lists/openldap-devel/9901/msg00064.html
1271 if (save_errno != LDAP_SUCCESS &&
1272 save_errno != LDAP_DECODING_ERROR)
1274 /* Must be an error */
1275 save_errno += E_LDAPBASE;
1276 SM_LDAP_ERROR_CLEANUP();
1281 /* mark this DN as done */
1283 if (rl->lr_ludp != NULL)
1285 ldap_free_urldesc(rl->lr_ludp);
1288 if (rl->lr_attrs != NULL)
1291 rl->lr_attrs = NULL;
1294 /* We don't want multiple values and we have one */
1295 if ((char) delim == '\0' &&
1296 !bitset(SM_LDAP_SINGLEMATCH, flags) &&
1300 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
1301 if (save_errno != LDAP_SUCCESS &&
1302 save_errno != LDAP_DECODING_ERROR)
1304 /* Must be an error */
1305 save_errno += E_LDAPBASE;
1306 SM_LDAP_ERROR_CLEANUP();
1310 ldap_msgfree(lmap->ldap_res);
1311 lmap->ldap_res = NULL;
1315 save_errno = ETIMEDOUT;
1316 else if (ret == LDAP_RES_SEARCH_RESULT)
1319 ** We may have gotten an LDAP_RES_SEARCH_RESULT response
1320 ** with an error inside it, so we have to extract that
1321 ** with ldap_parse_result(). This can happen when talking
1322 ** to an LDAP proxy whose backend has gone down.
1325 if (lmap->ldap_res == NULL)
1326 save_errno = LDAP_UNAVAILABLE;
1331 save_errno = ldap_parse_result(lmap->ldap_ld,
1332 lmap->ldap_res, &rc, NULL, NULL,
1334 if (save_errno == LDAP_SUCCESS)
1339 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
1340 if (save_errno != LDAP_SUCCESS)
1342 statp = EX_TEMPFAIL;
1345 #ifdef LDAP_SERVER_DOWN
1346 case LDAP_SERVER_DOWN:
1347 #endif /* LDAP_SERVER_DOWN */
1350 case LDAP_UNAVAILABLE:
1353 ** server disappeared,
1354 ** try reopen on next search
1361 save_errno += E_LDAPBASE;
1362 SM_LDAP_ERROR_CLEANUP();
1367 if (lmap->ldap_res != NULL)
1369 ldap_msgfree(lmap->ldap_res);
1370 lmap->ldap_res = NULL;
1378 ** Spin through the built-up recurse list at the top
1379 ** of the recursion. Since new items are added at the
1380 ** end of the shared list, we actually only ever get
1381 ** one level of recursion before things pop back to the
1382 ** top. Any items added to the list during that recursion
1383 ** will be expanded by the top level.
1386 for (rlidx = 0; recurse != NULL && rlidx < recurse->lrl_cnt;
1393 rl = recurse->lrl_data[rlidx];
1398 /* already expanded */
1402 if (rl->lr_type == SM_LDAP_ATTR_DN)
1405 sid = ldap_search(lmap->ldap_ld,
1409 (lmap->ldap_attr[0] == NULL ?
1410 NULL : lmap->ldap_attr),
1411 lmap->ldap_attrsonly);
1413 else if (rl->lr_type == SM_LDAP_ATTR_FILTER)
1416 sid = ldap_search(lmap->ldap_ld,
1420 (lmap->ldap_attr[0] == NULL ?
1421 NULL : lmap->ldap_attr),
1422 lmap->ldap_attrsonly);
1424 else if (rl->lr_type == SM_LDAP_ATTR_URL)
1427 sid = ldap_url_parse(rl->lr_search,
1432 errno = sid + E_LDAPURLBASE;
1436 /* We need to add objectClass */
1437 if (rl->lr_ludp->lud_attrs != NULL)
1441 while (rl->lr_ludp->lud_attrs[attrnum] != NULL)
1443 if (strcasecmp(rl->lr_ludp->lud_attrs[attrnum],
1444 "objectClass") == 0)
1446 /* already requested */
1457 rl->lr_attrs = (char **)malloc(sizeof(char *) * (attrnum + 2));
1458 if (rl->lr_attrs == NULL)
1461 ldap_free_urldesc(rl->lr_ludp);
1465 for (i = 0 ; i < attrnum; i++)
1467 rl->lr_attrs[i] = rl->lr_ludp->lud_attrs[i];
1469 rl->lr_attrs[i++] = "objectClass";
1470 rl->lr_attrs[i++] = NULL;
1475 ** Use the existing connection
1476 ** for this search. It really
1477 ** should use lud_scheme://lud_host:lud_port/
1478 ** instead but that would require
1479 ** opening a new connection.
1480 ** This should be fixed ASAP.
1483 sid = ldap_search(lmap->ldap_ld,
1484 rl->lr_ludp->lud_dn,
1485 rl->lr_ludp->lud_scope,
1486 rl->lr_ludp->lud_filter,
1488 lmap->ldap_attrsonly);
1490 /* Use the attributes specified by URL */
1491 newflags |= SM_LDAP_USE_ALLATTR;
1495 /* unknown or illegal attribute type */
1500 /* Collect results */
1503 save_errno = sm_ldap_geterrno(lmap->ldap_ld);
1504 statp = EX_TEMPFAIL;
1507 #ifdef LDAP_SERVER_DOWN
1508 case LDAP_SERVER_DOWN:
1509 #endif /* LDAP_SERVER_DOWN */
1512 case LDAP_UNAVAILABLE:
1515 ** server disappeared,
1516 ** try reopen on next search
1522 errno = save_errno + E_LDAPBASE;
1526 status = sm_ldap_results(lmap, sid, newflags, delim,
1527 rpool, result, resultln,
1530 if (status != EX_OK && status != EX_NOTFOUND)
1538 if (rl->lr_ludp != NULL)
1540 ldap_free_urldesc(rl->lr_ludp);
1543 if (rl->lr_attrs != NULL)
1546 rl->lr_attrs = NULL;
1549 /* Reset rlidx as new items may have been added */
1557 ** SM_LDAP_CLOSE -- close LDAP connection
1560 ** lmap -- LDAP map information
1569 SM_LDAP_STRUCT *lmap;
1571 if (lmap->ldap_ld == NULL)
1574 if (lmap->ldap_pid == getpid())
1575 ldap_unbind(lmap->ldap_ld);
1576 lmap->ldap_ld = NULL;
1580 ** SM_LDAP_GETERRNO -- get ldap errno value
1583 ** ld -- LDAP session handle
1591 sm_ldap_geterrno(ld)
1594 int err = LDAP_SUCCESS;
1596 # if defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3
1597 # ifdef LDAP_OPT_RESULT_CODE
1598 # define LDAP_GET_RESULT_CODE LDAP_OPT_RESULT_CODE
1600 # define LDAP_GET_RESULT_CODE LDAP_OPT_ERROR_NUMBER
1602 (void) ldap_get_option(ld, LDAP_GET_RESULT_CODE, &err);
1604 # ifdef LDAP_OPT_SIZELIMIT
1605 err = ldap_get_lderrno(ld, NULL, NULL);
1610 ** Reset value to prevent lingering LDAP_DECODING_ERROR due to
1611 ** OpenLDAP 1.X's hack (see above)
1614 ld->ld_errno = LDAP_SUCCESS;
1615 # endif /* LDAP_OPT_SIZELIMIT */
1616 # endif /* defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3 */
1619 # endif /* LDAPMAP */
projects / FreeBSD / FreeBSD.git / blob