1 /* Copyright 2001-2005 The Apache Software Foundation or its licensors, as
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * util_ldap.c: LDAP things
20 * Original code from auth_ldap module for Apache v1.3:
21 * Copyright 1998, 1999 Enbridge Pipelines Inc.
22 * Copyright 1999-2001 Dave Carrigan
26 #include "http_config.h"
27 #include "http_core.h"
29 #include "http_protocol.h"
30 #include "http_request.h"
31 #include "util_ldap.h"
32 #include "util_ldap_cache.h"
34 #include <apr_strings.h>
41 #error mod_ldap requires APR-util to have LDAP support built in
44 #ifdef AP_NEED_SET_MUTEX_PERMS
48 /* defines for certificate file types
50 #define LDAP_CA_TYPE_UNKNOWN 0
51 #define LDAP_CA_TYPE_DER 1
52 #define LDAP_CA_TYPE_BASE64 2
53 #define LDAP_CA_TYPE_CERT7_DB 3
56 module AP_MODULE_DECLARE_DATA ldap_module;
58 #define LDAP_CACHE_LOCK() do { \
59 if (st->util_ldap_cache_lock) \
60 apr_global_mutex_lock(st->util_ldap_cache_lock); \
63 #define LDAP_CACHE_UNLOCK() do { \
64 if (st->util_ldap_cache_lock) \
65 apr_global_mutex_unlock(st->util_ldap_cache_lock); \
68 static void util_ldap_strdup (char **str, const char *newstr)
76 *str = strdup(newstr);
84 * This handler generates a status page about the current performance of
85 * the LDAP cache. It is enabled as follows:
87 * <Location /ldap-status>
88 * SetHandler ldap-status
92 static int util_ldap_handler(request_rec *r)
94 util_ldap_state_t *st = (util_ldap_state_t *)
95 ap_get_module_config(r->server->module_config,
98 r->allowed |= (1 << M_GET);
99 if (r->method_number != M_GET)
102 if (strcmp(r->handler, "ldap-status")) {
106 r->content_type = "text/html";
110 ap_rputs(DOCTYPE_HTML_3_2
111 "<html><head><title>LDAP Cache Information</title></head>\n", r);
112 ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information"
115 util_ald_cache_display(r, st);
120 /* ------------------------------------------------------------------ */
124 * Closes an LDAP connection by unlocking it. The next time
125 * uldap_connection_find() is called this connection will be
126 * available for reuse.
128 static void uldap_connection_close(util_ldap_connection_t *ldc)
134 * Is it safe leaving bound connections floating around between the
135 * different modules? Keeping the user bound is a performance boost,
136 * but it is also a potential security problem - maybe.
138 * For now we unbind the user when we finish with a connection, but
139 * we don't have to...
142 /* mark our connection as available for reuse */
145 apr_thread_mutex_unlock(ldc->lock);
151 * Destroys an LDAP connection by unbinding and closing the connection to
152 * the LDAP server. It is used to bring the connection back to a known
153 * state after an error, and during pool cleanup.
155 static apr_status_t uldap_connection_unbind(void *param)
157 util_ldap_connection_t *ldc = param;
161 ldap_unbind_s(ldc->ldap);
172 * Clean up an LDAP connection by unbinding and unlocking the connection.
173 * This function is registered with the pool cleanup function - causing
174 * the LDAP connections to be shut down cleanly on graceful restart.
176 static apr_status_t uldap_connection_cleanup(void *param)
178 util_ldap_connection_t *ldc = param;
182 /* unbind and disconnect from the LDAP server */
183 uldap_connection_unbind(ldc);
185 /* free the username and password */
187 free((void*)ldc->bindpw);
190 free((void*)ldc->binddn);
193 /* unlock this entry */
194 uldap_connection_close(ldc);
203 * Connect to the LDAP server and binds. Does not connect if already
204 * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
206 * Returns LDAP_SUCCESS on success; and an error code on failure
208 static int uldap_connection_open(request_rec *r,
209 util_ldap_connection_t *ldc)
213 int version = LDAP_VERSION3;
214 apr_ldap_err_t *result = NULL;
215 struct timeval timeOut = {10,0}; /* 10 second connection timeout */
216 util_ldap_state_t *st =
217 (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
220 /* sanity check for NULL */
225 /* If the connection is already bound, return
229 ldc->reason = "LDAP: connection open successful (already bound)";
233 /* create the ldap session handle
235 if (NULL == ldc->ldap)
237 /* Since the host will include a port if the default port is not used,
238 * always specify the default ports for the port parameter. This will
239 * allow a host string that contains multiple hosts the ability to mix
240 * some hosts with ports and some without. All hosts which do not
241 * specify a port will use the default port.
243 apr_ldap_init(ldc->pool, &(ldc->ldap),
245 APR_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
250 if (result != NULL && result->rc) {
251 ldc->reason = result->reason;
254 if (NULL == ldc->ldap)
257 if (NULL == ldc->reason) {
258 ldc->reason = "LDAP: ldap initialization failed";
261 ldc->reason = result->reason;
266 /* set client certificates */
267 if (!apr_is_empty_array(ldc->client_certs)) {
268 apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
269 ldc->client_certs, &(result));
270 if (LDAP_SUCCESS != result->rc) {
271 ldap_unbind_s(ldc->ldap);
274 ldc->reason = result->reason;
279 /* switch on SSL/TLS */
280 if (APR_LDAP_NONE != ldc->secure) {
281 apr_ldap_set_option(ldc->pool, ldc->ldap,
282 APR_LDAP_OPT_TLS, &ldc->secure, &(result));
283 if (LDAP_SUCCESS != result->rc) {
284 ldap_unbind_s(ldc->ldap);
287 ldc->reason = result->reason;
292 /* Set the alias dereferencing option */
293 ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
295 /* always default to LDAP V3 */
296 ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
298 /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
299 #ifdef APR_LDAP_OPT_VERIFY_CERT
300 apr_ldap_set_option(ldc->pool, ldc->ldap,
301 APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
303 #if defined(LDAPSSL_VERIFY_SERVER)
304 if (st->verify_svr_cert) {
305 result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
308 result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
310 #elif defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
311 /* This is not a per-connection setting so just pass NULL for the
312 Ldap connection handle */
313 if (st->verify_svr_cert) {
314 int i = LDAP_OPT_X_TLS_DEMAND;
315 result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
318 int i = LDAP_OPT_X_TLS_NEVER;
319 result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
324 #ifdef LDAP_OPT_NETWORK_TIMEOUT
325 if (st->connectionTimeout > 0) {
326 timeOut.tv_sec = st->connectionTimeout;
329 if (st->connectionTimeout >= 0) {
330 rc = apr_ldap_set_option(ldc->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
331 (void *)&timeOut, &(result));
332 if (APR_SUCCESS != rc) {
333 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
334 "LDAP: Could not set the connection timeout");
343 /* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is
344 * returned. Break out of the loop on Success or any other error.
346 * NOTE: Looping is probably not a great idea. If the server isn't
347 * responding the chances it will respond after a few tries are poor.
348 * However, the original code looped and it only happens on
349 * the error condition.
351 for (failures=0; failures<10; failures++)
353 rc = ldap_simple_bind_s(ldc->ldap,
355 (char *)ldc->bindpw);
356 if (LDAP_SERVER_DOWN != rc) {
361 /* free the handle if there was an error
363 if (LDAP_SUCCESS != rc)
365 ldap_unbind_s(ldc->ldap);
368 ldc->reason = "LDAP: ldap_simple_bind_s() failed";
372 ldc->reason = "LDAP: connection open successful";
380 * Compare client certificate arrays.
382 * Returns 1 on compare failure, 0 otherwise.
384 static int compare_client_certs(apr_array_header_t *srcs,
385 apr_array_header_t *dests)
388 struct apr_ldap_opt_tls_cert_t *src, *dest;
390 /* arrays both NULL? if so, then equal */
391 if (srcs == NULL && dests == NULL) {
395 /* arrays different length or either NULL? If so, then not equal */
396 if (srcs == NULL || dests == NULL || srcs->nelts != dests->nelts) {
400 /* run an actual comparison */
401 src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
402 dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
403 for (i = 0; i < srcs->nelts; i++) {
404 if (strcmp(src[i].path, dest[i].path) ||
405 strcmp(src[i].password, dest[i].password) ||
406 src[i].type != dest[i].type) {
411 /* if we got here, the cert arrays were identical */
418 * Find an existing ldap connection struct that matches the
419 * provided ldap connection parameters.
421 * If not found in the cache, a new ldc structure will be allocated
422 * from st->pool and returned to the caller. If found in the cache,
423 * a pointer to the existing ldc structure will be returned.
425 static util_ldap_connection_t *
426 uldap_connection_find(request_rec *r,
427 const char *host, int port,
428 const char *binddn, const char *bindpw,
429 deref_options deref, int secure)
431 struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
432 int secureflag = secure;
434 util_ldap_state_t *st =
435 (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
440 /* mutex lock this function */
442 apr_thread_mutex_create(&st->mutex, APR_THREAD_MUTEX_DEFAULT,
445 apr_thread_mutex_lock(st->mutex);
448 if (secure < APR_LDAP_NONE) {
449 secureflag = st->secure;
452 /* Search for an exact connection match in the list that is not
455 for (l=st->connections,p=NULL; l; l=l->next) {
457 if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
459 if ( (l->port == port) && (strcmp(l->host, host) == 0)
460 && ((!l->binddn && !binddn) || (l->binddn && binddn
461 && !strcmp(l->binddn, binddn)))
462 && ((!l->bindpw && !bindpw) || (l->bindpw && bindpw
463 && !strcmp(l->bindpw, bindpw)))
464 && (l->deref == deref) && (l->secure == secureflag)
465 && !compare_client_certs(st->client_certs, l->client_certs))
470 /* If this connection didn't match the criteria, then we
471 * need to unlock the mutex so it is available to be reused.
473 apr_thread_mutex_unlock(l->lock);
479 /* If nothing found, search again, but we don't care about the
480 * binddn and bindpw this time.
483 for (l=st->connections,p=NULL; l; l=l->next) {
485 if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
488 if ((l->port == port) && (strcmp(l->host, host) == 0) &&
489 (l->deref == deref) && (l->secure == secureflag) &&
490 !compare_client_certs(st->client_certs, l->client_certs))
492 /* the bind credentials have changed */
494 util_ldap_strdup((char**)&(l->binddn), binddn);
495 util_ldap_strdup((char**)&(l->bindpw), bindpw);
499 /* If this connection didn't match the criteria, then we
500 * need to unlock the mutex so it is available to be reused.
502 apr_thread_mutex_unlock(l->lock);
509 /* artificially disable cache */
512 /* If no connection what found after the second search, we
518 * Add the new connection entry to the linked list. Note that we
519 * don't actually establish an LDAP connection yet; that happens
520 * the first time authentication is requested.
522 /* create the details to the pool in st */
523 l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
525 apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
526 apr_thread_mutex_lock(l->lock);
530 l->host = apr_pstrdup(st->pool, host);
533 util_ldap_strdup((char**)&(l->binddn), binddn);
534 util_ldap_strdup((char**)&(l->bindpw), bindpw);
536 /* The security mode after parsing the URL will always be either
537 * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
538 * If the security setting is NONE, override it to the security
539 * setting optionally supplied by the admin using LDAPTrustedMode
541 l->secure = secureflag;
543 /* save away a copy of the client cert list that is presently valid */
544 l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
546 /* add the cleanup to the pool */
547 apr_pool_cleanup_register(l->pool, l,
548 uldap_connection_cleanup,
549 apr_pool_cleanup_null);
560 apr_thread_mutex_unlock(st->mutex);
565 /* ------------------------------------------------------------------ */
568 * Compares two DNs to see if they're equal. The only way to do this correctly
569 * is to search for the dn and then do ldap_get_dn() on the result. This should
570 * match the initial dn, since it would have been also retrieved with
571 * ldap_get_dn(). This is expensive, so if the configuration value
572 * compare_dn_on_server is false, just does an ordinary strcmp.
574 * The lock for the ldap cache should already be acquired.
576 static int uldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
577 const char *url, const char *dn,
578 const char *reqdn, int compare_dn_on_server)
581 util_url_node_t *curl;
582 util_url_node_t curnode;
583 util_dn_compare_node_t *node;
584 util_dn_compare_node_t newnode;
586 LDAPMessage *res, *entry;
589 util_ldap_state_t *st = (util_ldap_state_t *)
590 ap_get_module_config(r->server->module_config,
593 /* get cache entry (or create one) */
597 curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
599 curl = util_ald_create_caches(st, url);
603 /* a simple compare? */
604 if (!compare_dn_on_server) {
605 /* unlock this read lock */
606 if (strcmp(dn, reqdn)) {
607 ldc->reason = "DN Comparison FALSE (direct strcmp())";
608 return LDAP_COMPARE_FALSE;
611 ldc->reason = "DN Comparison TRUE (direct strcmp())";
612 return LDAP_COMPARE_TRUE;
617 /* no - it's a server side compare */
620 /* is it in the compare cache? */
621 newnode.reqdn = (char *)reqdn;
622 node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
624 /* If it's in the cache, it's good */
625 /* unlock this read lock */
627 ldc->reason = "DN Comparison TRUE (cached)";
628 return LDAP_COMPARE_TRUE;
631 /* unlock this read lock */
636 if (failures++ > 10) {
637 /* too many failures */
641 /* make a server connection */
642 if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
643 /* connect to server failed */
647 /* search for reqdn */
648 if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
649 "(objectclass=*)", NULL, 1,
650 NULL, NULL, NULL, -1, &res))
653 ldc->reason = "DN Comparison ldap_search_ext_s() "
654 "failed with server down";
655 uldap_connection_unbind(ldc);
658 if (result != LDAP_SUCCESS) {
659 /* search for reqdn failed - no match */
660 ldc->reason = "DN Comparison ldap_search_ext_s() failed";
664 entry = ldap_first_entry(ldc->ldap, res);
665 searchdn = ldap_get_dn(ldc->ldap, entry);
668 if (strcmp(dn, searchdn) != 0) {
669 /* compare unsuccessful */
670 ldc->reason = "DN Comparison FALSE (checked on server)";
671 result = LDAP_COMPARE_FALSE;
675 /* compare successful - add to the compare cache */
677 newnode.reqdn = (char *)reqdn;
678 newnode.dn = (char *)dn;
680 node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
682 || (strcmp(reqdn, node->reqdn) != 0)
683 || (strcmp(dn, node->dn) != 0))
685 util_ald_cache_insert(curl->dn_compare_cache, &newnode);
689 ldc->reason = "DN Comparison TRUE (checked on server)";
690 result = LDAP_COMPARE_TRUE;
692 ldap_memfree(searchdn);
698 * Does an generic ldap_compare operation. It accepts a cache that it will use
699 * to lookup the compare in the cache. We cache two kinds of compares
700 * (require group compares) and (require user compares). Each compare has a different
701 * cache node: require group includes the DN; require user does not because the
702 * require user cache is owned by the
705 static int uldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
706 const char *url, const char *dn,
707 const char *attrib, const char *value)
710 util_url_node_t *curl;
711 util_url_node_t curnode;
712 util_compare_node_t *compare_nodep;
713 util_compare_node_t the_compare_node;
714 apr_time_t curtime = 0; /* silence gcc -Wall */
717 util_ldap_state_t *st = (util_ldap_state_t *)
718 ap_get_module_config(r->server->module_config,
721 /* get cache entry (or create one) */
724 curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
726 curl = util_ald_create_caches(st, url);
731 /* make a comparison to the cache */
733 curtime = apr_time_now();
735 the_compare_node.dn = (char *)dn;
736 the_compare_node.attrib = (char *)attrib;
737 the_compare_node.value = (char *)value;
738 the_compare_node.result = 0;
740 compare_nodep = util_ald_cache_fetch(curl->compare_cache,
743 if (compare_nodep != NULL) {
745 if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) {
746 /* ...but it is too old */
747 util_ald_cache_remove(curl->compare_cache, compare_nodep);
750 /* ...and it is good */
751 /* unlock this read lock */
753 if (LDAP_COMPARE_TRUE == compare_nodep->result) {
754 ldc->reason = "Comparison true (cached)";
755 return compare_nodep->result;
757 else if (LDAP_COMPARE_FALSE == compare_nodep->result) {
758 ldc->reason = "Comparison false (cached)";
759 return compare_nodep->result;
761 else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) {
762 ldc->reason = "Comparison no such attribute (cached)";
763 return compare_nodep->result;
766 ldc->reason = "Comparison undefined (cached)";
767 return compare_nodep->result;
771 /* unlock this read lock */
776 if (failures++ > 10) {
777 /* too many failures */
780 if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
785 if ((result = ldap_compare_s(ldc->ldap,
789 == LDAP_SERVER_DOWN) {
790 /* connection failed - try again */
791 ldc->reason = "ldap_compare_s() failed with server down";
792 uldap_connection_unbind(ldc);
796 ldc->reason = "Comparison complete";
797 if ((LDAP_COMPARE_TRUE == result) ||
798 (LDAP_COMPARE_FALSE == result) ||
799 (LDAP_NO_SUCH_ATTRIBUTE == result)) {
801 /* compare completed; caching result */
803 the_compare_node.lastcompare = curtime;
804 the_compare_node.result = result;
806 /* If the node doesn't exist then insert it, otherwise just update
807 * it with the last results
809 compare_nodep = util_ald_cache_fetch(curl->compare_cache,
811 if ( (compare_nodep == NULL)
812 || (strcmp(the_compare_node.dn, compare_nodep->dn) != 0)
813 || (strcmp(the_compare_node.attrib,compare_nodep->attrib) != 0)
814 || (strcmp(the_compare_node.value, compare_nodep->value) != 0))
816 util_ald_cache_insert(curl->compare_cache, &the_compare_node);
819 compare_nodep->lastcompare = curtime;
820 compare_nodep->result = result;
824 if (LDAP_COMPARE_TRUE == result) {
825 ldc->reason = "Comparison true (adding to cache)";
826 return LDAP_COMPARE_TRUE;
828 else if (LDAP_COMPARE_FALSE == result) {
829 ldc->reason = "Comparison false (adding to cache)";
830 return LDAP_COMPARE_FALSE;
833 ldc->reason = "Comparison no such attribute (adding to cache)";
834 return LDAP_NO_SUCH_ATTRIBUTE;
840 static int uldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
841 const char *url, const char *basedn,
842 int scope, char **attrs, const char *filter,
843 const char *bindpw, const char **binddn,
844 const char ***retvals)
846 const char **vals = NULL;
849 LDAPMessage *res, *entry;
853 util_url_node_t *curl; /* Cached URL node */
854 util_url_node_t curnode;
855 util_search_node_t *search_nodep; /* Cached search node */
856 util_search_node_t the_search_node;
859 util_ldap_state_t *st =
860 (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
863 /* Get the cache node for this url */
866 curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
869 curl = util_ald_create_caches(st, url);
875 the_search_node.username = filter;
876 search_nodep = util_ald_cache_fetch(curl->search_cache,
878 if (search_nodep != NULL) {
880 /* found entry in search cache... */
881 curtime = apr_time_now();
884 * Remove this item from the cache if its expired. If the sent
885 * password doesn't match the storepassword, the entry will
886 * be removed and readded later if the credentials pass
889 if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
890 /* ...but entry is too old */
891 util_ald_cache_remove(curl->search_cache, search_nodep);
893 else if ( (search_nodep->bindpw)
894 && (search_nodep->bindpw[0] != '\0')
895 && (strcmp(search_nodep->bindpw, bindpw) == 0))
897 /* ...and entry is valid */
898 *binddn = search_nodep->dn;
899 *retvals = search_nodep->vals;
901 ldc->reason = "Authentication successful (cached)";
905 /* unlock this read lock */
910 * At this point, there is no valid cached search, so lets do the search.
914 * If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
917 if (failures++ > 10) {
920 if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
924 /* try do the search */
925 if ((result = ldap_search_ext_s(ldc->ldap,
926 (char *)basedn, scope,
927 (char *)filter, attrs, 0,
928 NULL, NULL, NULL, -1, &res))
931 ldc->reason = "ldap_search_ext_s() for user failed with server down";
932 uldap_connection_unbind(ldc);
936 /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
937 if (result != LDAP_SUCCESS) {
938 ldc->reason = "ldap_search_ext_s() for user failed";
943 * We should have found exactly one entry; to find a different
944 * number is an error.
946 count = ldap_count_entries(ldc->ldap, res);
950 ldc->reason = "User not found";
952 ldc->reason = "User is not unique (search found two "
955 return LDAP_NO_SUCH_OBJECT;
958 entry = ldap_first_entry(ldc->ldap, res);
960 /* Grab the dn, copy it into the pool, and free it again */
961 dn = ldap_get_dn(ldc->ldap, entry);
962 *binddn = apr_pstrdup(r->pool, dn);
966 * A bind to the server with an empty password always succeeds, so
967 * we check to ensure that the password is not empty. This implies
968 * that users who actually do have empty passwords will never be
969 * able to authenticate with this module. I don't see this as a big
972 if (!bindpw || strlen(bindpw) <= 0) {
974 ldc->reason = "Empty password not allowed";
975 return LDAP_INVALID_CREDENTIALS;
979 * Attempt to bind with the retrieved dn and the password. If the bind
980 * fails, it means that the password is wrong (the dn obviously
981 * exists, since we just retrieved it)
983 if ((result = ldap_simple_bind_s(ldc->ldap,
985 (char *)bindpw)) == LDAP_SERVER_DOWN) {
986 ldc->reason = "ldap_simple_bind_s() to check user credentials "
987 "failed with server down";
989 uldap_connection_unbind(ldc);
993 /* failure? if so - return */
994 if (result != LDAP_SUCCESS) {
995 ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
997 uldap_connection_unbind(ldc);
1002 * We have just bound the connection to a different user and password
1003 * combination, which might be reused unintentionally next time this
1004 * connection is used from the connection pool. To ensure no confusion,
1005 * we mark the connection as unbound.
1011 * Get values for the provided attributes.
1017 vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
1024 values = ldap_get_values(ldc->ldap, entry, attrs[i]);
1025 while (values && values[j]) {
1026 str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
1027 : apr_pstrdup(r->pool, values[j]);
1030 ldap_value_free(values);
1038 * Add the new username to the search cache.
1042 the_search_node.username = filter;
1043 the_search_node.dn = *binddn;
1044 the_search_node.bindpw = bindpw;
1045 the_search_node.lastbind = apr_time_now();
1046 the_search_node.vals = vals;
1047 the_search_node.numvals = numvals;
1049 /* Search again to make sure that another thread didn't ready insert
1050 * this node into the cache before we got here. If it does exist then
1051 * update the lastbind
1053 search_nodep = util_ald_cache_fetch(curl->search_cache,
1055 if ((search_nodep == NULL) ||
1056 (strcmp(*binddn, search_nodep->dn) != 0)) {
1058 /* Nothing in cache, insert new entry */
1059 util_ald_cache_insert(curl->search_cache, &the_search_node);
1061 else if ((!search_nodep->bindpw) ||
1062 (strcmp(bindpw, search_nodep->bindpw) != 0)) {
1064 /* Entry in cache is invalid, remove it and insert new one */
1065 util_ald_cache_remove(curl->search_cache, search_nodep);
1066 util_ald_cache_insert(curl->search_cache, &the_search_node);
1069 /* Cache entry is valid, update lastbind */
1070 search_nodep->lastbind = the_search_node.lastbind;
1072 LDAP_CACHE_UNLOCK();
1076 ldc->reason = "Authentication successful";
1077 return LDAP_SUCCESS;
1081 * This function will return the DN of the entry matching userid.
1082 * It is used to get the DN in case some other module than mod_auth_ldap
1083 * has authenticated the user.
1084 * The function is basically a copy of uldap_cache_checkuserid
1085 * with password checking removed.
1087 static int uldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
1088 const char *url, const char *basedn,
1089 int scope, char **attrs, const char *filter,
1090 const char **binddn, const char ***retvals)
1092 const char **vals = NULL;
1095 LDAPMessage *res, *entry;
1099 util_url_node_t *curl; /* Cached URL node */
1100 util_url_node_t curnode;
1101 util_search_node_t *search_nodep; /* Cached search node */
1102 util_search_node_t the_search_node;
1105 util_ldap_state_t *st =
1106 (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
1109 /* Get the cache node for this url */
1112 curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
1115 curl = util_ald_create_caches(st, url);
1117 LDAP_CACHE_UNLOCK();
1121 the_search_node.username = filter;
1122 search_nodep = util_ald_cache_fetch(curl->search_cache,
1124 if (search_nodep != NULL) {
1126 /* found entry in search cache... */
1127 curtime = apr_time_now();
1130 * Remove this item from the cache if its expired.
1132 if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
1133 /* ...but entry is too old */
1134 util_ald_cache_remove(curl->search_cache, search_nodep);
1137 /* ...and entry is valid */
1138 *binddn = search_nodep->dn;
1139 *retvals = search_nodep->vals;
1140 LDAP_CACHE_UNLOCK();
1141 ldc->reason = "Search successful (cached)";
1142 return LDAP_SUCCESS;
1145 /* unlock this read lock */
1146 LDAP_CACHE_UNLOCK();
1150 * At this point, there is no valid cached search, so lets do the search.
1154 * If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
1157 if (failures++ > 10) {
1160 if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
1164 /* try do the search */
1165 if ((result = ldap_search_ext_s(ldc->ldap,
1166 (char *)basedn, scope,
1167 (char *)filter, attrs, 0,
1168 NULL, NULL, NULL, -1, &res))
1169 == LDAP_SERVER_DOWN)
1171 ldc->reason = "ldap_search_ext_s() for user failed with server down";
1172 uldap_connection_unbind(ldc);
1176 /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
1177 if (result != LDAP_SUCCESS) {
1178 ldc->reason = "ldap_search_ext_s() for user failed";
1183 * We should have found exactly one entry; to find a different
1184 * number is an error.
1186 count = ldap_count_entries(ldc->ldap, res);
1190 ldc->reason = "User not found";
1192 ldc->reason = "User is not unique (search found two "
1195 return LDAP_NO_SUCH_OBJECT;
1198 entry = ldap_first_entry(ldc->ldap, res);
1200 /* Grab the dn, copy it into the pool, and free it again */
1201 dn = ldap_get_dn(ldc->ldap, entry);
1202 *binddn = apr_pstrdup(st->pool, dn);
1206 * Get values for the provided attributes.
1212 vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
1219 values = ldap_get_values(ldc->ldap, entry, attrs[i]);
1220 while (values && values[j]) {
1221 str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
1222 : apr_pstrdup(r->pool, values[j]);
1225 ldap_value_free(values);
1233 * Add the new username to the search cache.
1237 the_search_node.username = filter;
1238 the_search_node.dn = *binddn;
1239 the_search_node.bindpw = NULL;
1240 the_search_node.lastbind = apr_time_now();
1241 the_search_node.vals = vals;
1242 the_search_node.numvals = numvals;
1244 /* Search again to make sure that another thread didn't ready insert
1245 * this node into the cache before we got here. If it does exist then
1246 * update the lastbind
1248 search_nodep = util_ald_cache_fetch(curl->search_cache,
1250 if ((search_nodep == NULL) ||
1251 (strcmp(*binddn, search_nodep->dn) != 0)) {
1253 /* Nothing in cache, insert new entry */
1254 util_ald_cache_insert(curl->search_cache, &the_search_node);
1257 * Don't update lastbind on entries with bindpw because
1258 * we haven't verified that password. It's OK to update
1259 * the entry if there is no password in it.
1261 else if (!search_nodep->bindpw) {
1262 /* Cache entry is valid, update lastbind */
1263 search_nodep->lastbind = the_search_node.lastbind;
1265 LDAP_CACHE_UNLOCK();
1270 ldc->reason = "Search successful";
1271 return LDAP_SUCCESS;
1275 * Reports if ssl support is enabled
1277 * 1 = enabled, 0 = not enabled
1279 static int uldap_ssl_supported(request_rec *r)
1281 util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
1282 r->server->module_config, &ldap_module);
1284 return(st->ssl_supported);
1288 /* ---------------------------------------- */
1289 /* config directives */
1292 static const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy,
1295 util_ldap_state_t *st =
1296 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1299 st->cache_bytes = atol(bytes);
1301 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1302 "[%" APR_PID_T_FMT "] ldap cache: Setting shared memory "
1303 " cache size to %" APR_SIZE_T_FMT " bytes.",
1304 getpid(), st->cache_bytes);
1309 static const char *util_ldap_set_cache_file(cmd_parms *cmd, void *dummy,
1312 util_ldap_state_t *st =
1313 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1317 st->cache_file = ap_server_root_relative(st->pool, file);
1320 st->cache_file = NULL;
1323 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1324 "LDAP cache: Setting shared memory cache file to %s bytes.",
1330 static const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy,
1333 util_ldap_state_t *st =
1334 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1337 st->search_cache_ttl = atol(ttl) * 1000000;
1339 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1340 "[%d] ldap cache: Setting cache TTL to %ld microseconds.",
1341 getpid(), st->search_cache_ttl);
1346 static const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy,
1349 util_ldap_state_t *st =
1350 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1354 st->search_cache_size = atol(size);
1355 if (st->search_cache_size < 0) {
1356 st->search_cache_size = 0;
1359 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1360 "[%d] ldap cache: Setting search cache size to %ld entries.",
1361 getpid(), st->search_cache_size);
1366 static const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy,
1369 util_ldap_state_t *st =
1370 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1373 st->compare_cache_ttl = atol(ttl) * 1000000;
1375 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1376 "[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
1377 getpid(), st->compare_cache_ttl);
1382 static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy,
1385 util_ldap_state_t *st =
1386 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1389 st->compare_cache_size = atol(size);
1390 if (st->compare_cache_size < 0) {
1391 st->compare_cache_size = 0;
1394 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1395 "[%d] ldap cache: Setting operation cache size to %ld "
1396 "entries.", getpid(), st->compare_cache_size);
1403 * Parse the certificate type.
1405 * The type can be one of the following:
1406 * CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
1407 * CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
1409 * If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
1411 static const int util_ldap_parse_cert_type(const char *type) {
1413 /* Authority file in binary DER format */
1414 if (0 == strcasecmp("CA_DER", type)) {
1415 return APR_LDAP_CA_TYPE_DER;
1418 /* Authority file in Base64 format */
1419 else if (0 == strcasecmp("CA_BASE64", type)) {
1420 return APR_LDAP_CA_TYPE_BASE64;
1423 /* Netscape certificate database file/directory */
1424 else if (0 == strcasecmp("CA_CERT7_DB", type)) {
1425 return APR_LDAP_CA_TYPE_CERT7_DB;
1428 /* Netscape secmod file/directory */
1429 else if (0 == strcasecmp("CA_SECMOD", type)) {
1430 return APR_LDAP_CA_TYPE_SECMOD;
1433 /* Client cert file in DER format */
1434 else if (0 == strcasecmp("CERT_DER", type)) {
1435 return APR_LDAP_CERT_TYPE_DER;
1438 /* Client cert file in Base64 format */
1439 else if (0 == strcasecmp("CERT_BASE64", type)) {
1440 return APR_LDAP_CERT_TYPE_BASE64;
1443 /* Client cert file in PKCS#12 format */
1444 else if (0 == strcasecmp("CERT_PFX", type)) {
1445 return APR_LDAP_CERT_TYPE_PFX;
1448 /* Netscape client cert database file/directory */
1449 else if (0 == strcasecmp("CERT_KEY3_DB", type)) {
1450 return APR_LDAP_CERT_TYPE_KEY3_DB;
1453 /* Netscape client cert nickname */
1454 else if (0 == strcasecmp("CERT_NICKNAME", type)) {
1455 return APR_LDAP_CERT_TYPE_NICKNAME;
1458 /* Client cert key file in DER format */
1459 else if (0 == strcasecmp("KEY_DER", type)) {
1460 return APR_LDAP_KEY_TYPE_DER;
1463 /* Client cert key file in Base64 format */
1464 else if (0 == strcasecmp("KEY_BASE64", type)) {
1465 return APR_LDAP_KEY_TYPE_BASE64;
1468 /* Client cert key file in PKCS#12 format */
1469 else if (0 == strcasecmp("KEY_PFX", type)) {
1470 return APR_LDAP_KEY_TYPE_PFX;
1474 return APR_LDAP_CA_TYPE_UNKNOWN;
1481 * Set LDAPTrustedGlobalCert.
1483 * This directive takes either two or three arguments:
1484 * - certificate type
1485 * - certificate file / directory / nickname
1486 * - certificate password (optional)
1488 * This directive may only be used globally.
1490 static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
1494 const char *password)
1496 util_ldap_state_t *st =
1497 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1499 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
1503 apr_ldap_opt_tls_cert_t *cert;
1509 /* handle the certificate type */
1511 cert_type = util_ldap_parse_cert_type(type);
1512 if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
1513 return apr_psprintf(cmd->pool, "The certificate type %s is "
1514 "not recognised. It should be one "
1515 "of CA_DER, CA_BASE64, CA_CERT7_DB, "
1516 "CA_SECMOD, CERT_DER, CERT_BASE64, "
1517 "CERT_KEY3_DB, CERT_NICKNAME, "
1518 "KEY_DER, KEY_BASE64", type);
1522 return "Certificate type was not specified.";
1525 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1526 "LDAP: SSL trusted global cert - %s (type %s)",
1529 /* add the certificate to the global array */
1530 cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
1531 cert->type = cert_type;
1533 cert->password = password;
1535 /* if file is a file or path, fix the path */
1536 if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
1537 cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
1539 cert->path = ap_server_root_relative(cmd->pool, file);
1541 ((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool))
1544 ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
1545 "LDAP: Could not open SSL trusted certificate "
1546 "authority file - %s",
1547 cert->path == NULL ? file : cert->path);
1548 return "Invalid global certificate file path";
1557 * Set LDAPTrustedClientCert.
1559 * This directive takes either two or three arguments:
1560 * - certificate type
1561 * - certificate file / directory / nickname
1562 * - certificate password (optional)
1564 static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
1568 const char *password)
1570 util_ldap_state_t *st =
1571 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1576 apr_ldap_opt_tls_cert_t *cert;
1578 /* handle the certificate type */
1580 cert_type = util_ldap_parse_cert_type(type);
1581 if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
1582 return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
1583 "not recognised. It should be one "
1584 "of CERT_DER, CERT_BASE64, "
1585 "CERT_NICKNAME, CERT_PFX,"
1586 "KEY_DER, KEY_BASE64, KEY_PFX",
1589 else if (APR_LDAP_CA_TYPE_DER == cert_type ||
1590 APR_LDAP_CA_TYPE_BASE64 == cert_type ||
1591 APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
1592 APR_LDAP_CA_TYPE_SECMOD == cert_type ||
1593 APR_LDAP_CERT_TYPE_PFX == cert_type ||
1594 APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
1595 return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
1596 "only valid within a "
1597 "LDAPTrustedGlobalCert directive. "
1598 "Only CERT_DER, CERT_BASE64, "
1599 "CERT_NICKNAME, KEY_DER, and "
1600 "KEY_BASE64 may be used.", type);
1604 return "Certificate type was not specified.";
1607 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1608 "LDAP: SSL trusted client cert - %s (type %s)",
1611 /* add the certificate to the global array */
1612 cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
1613 cert->type = cert_type;
1615 cert->password = password;
1617 /* if file is a file or path, fix the path */
1618 if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
1619 cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
1621 cert->path = ap_server_root_relative(cmd->pool, file);
1623 ((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool))
1626 ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
1627 "LDAP: Could not open SSL client certificate "
1629 cert->path == NULL ? file : cert->path);
1630 return "Invalid client certificate file path";
1640 * Set LDAPTrustedMode.
1642 * This directive sets what encryption mode to use on a connection:
1643 * - None (No encryption)
1644 * - SSL (SSL encryption)
1645 * - STARTTLS (TLS encryption)
1647 static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy,
1650 util_ldap_state_t *st =
1651 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1654 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1655 "LDAP: SSL trusted mode - %s",
1658 if (0 == strcasecmp("NONE", mode)) {
1659 st->secure = APR_LDAP_NONE;
1661 else if (0 == strcasecmp("SSL", mode)) {
1662 st->secure = APR_LDAP_SSL;
1664 else if ( (0 == strcasecmp("TLS", mode))
1665 || (0 == strcasecmp("STARTTLS", mode))) {
1666 st->secure = APR_LDAP_STARTTLS;
1669 return "Invalid LDAPTrustedMode setting: must be one of NONE, "
1670 "SSL, or TLS/STARTTLS";
1677 static const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd,
1681 util_ldap_state_t *st =
1682 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1685 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1686 "LDAP: SSL verify server certificate - %s",
1687 mode?"TRUE":"FALSE");
1689 st->verify_svr_cert = mode;
1695 static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
1699 util_ldap_state_t *st =
1700 (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
1702 const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
1708 #ifdef LDAP_OPT_NETWORK_TIMEOUT
1709 st->connectionTimeout = atol(ttl);
1711 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
1712 "[%d] ldap connection: Setting connection timeout to "
1713 "%ld seconds.", getpid(), st->connectionTimeout);
1715 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
1716 "LDAP: Connection timout option not supported by the "
1717 "LDAP SDK in use." );
1724 static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
1726 util_ldap_state_t *st =
1727 (util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t));
1731 st->cache_bytes = 100000;
1732 st->search_cache_ttl = 600000000;
1733 st->search_cache_size = 1024;
1734 st->compare_cache_ttl = 600000000;
1735 st->compare_cache_size = 1024;
1736 st->connections = NULL;
1737 st->ssl_supported = 0;
1738 st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
1739 st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
1740 st->secure = APR_LDAP_NONE;
1742 st->connectionTimeout = 10;
1743 st->verify_svr_cert = 1;
1748 static void *util_ldap_merge_config(apr_pool_t *p, void *basev,
1751 util_ldap_state_t *st = apr_pcalloc(p, sizeof(util_ldap_state_t));
1752 util_ldap_state_t *base = (util_ldap_state_t *) basev;
1753 util_ldap_state_t *overrides = (util_ldap_state_t *) overridesv;
1757 st->cache_bytes = base->cache_bytes;
1758 st->search_cache_ttl = base->search_cache_ttl;
1759 st->search_cache_size = base->search_cache_size;
1760 st->compare_cache_ttl = base->compare_cache_ttl;
1761 st->compare_cache_size = base->compare_cache_size;
1762 st->connections = base->connections;
1763 st->ssl_supported = base->ssl_supported;
1764 st->global_certs = apr_array_append(p, base->global_certs,
1765 overrides->global_certs);
1766 st->client_certs = apr_array_append(p, base->client_certs,
1767 overrides->client_certs);
1768 st->secure = (overrides->secure_set == 0) ? base->secure
1769 : overrides->secure;
1774 static apr_status_t util_ldap_cleanup_module(void *data)
1777 server_rec *s = data;
1778 util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
1779 s->module_config, &ldap_module);
1781 if (st->ssl_supported) {
1782 apr_ldap_ssl_deinit();
1789 static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
1790 apr_pool_t *ptemp, server_rec *s)
1792 apr_status_t result;
1793 server_rec *s_vhost;
1794 util_ldap_state_t *st_vhost;
1796 util_ldap_state_t *st = (util_ldap_state_t *)
1797 ap_get_module_config(s->module_config,
1801 const char *userdata_key = "util_ldap_init";
1802 apr_ldap_err_t *result_err = NULL;
1805 /* util_ldap_post_config() will be called twice. Don't bother
1806 * going through all of the initialization on the first call
1807 * because it will just be thrown away.*/
1808 apr_pool_userdata_get(&data, userdata_key, s->process->pool);
1810 apr_pool_userdata_set((const void *)1, userdata_key,
1811 apr_pool_cleanup_null, s->process->pool);
1813 #if APR_HAS_SHARED_MEMORY
1814 /* If the cache file already exists then delete it. Otherwise we are
1815 * going to run into problems creating the shared memory. */
1816 if (st->cache_file) {
1817 char *lck_file = apr_pstrcat(st->pool, st->cache_file, ".lck",
1819 apr_file_remove(lck_file, ptemp);
1825 #if APR_HAS_SHARED_MEMORY
1826 /* initializing cache if shared memory size is not zero and we already
1827 * don't have shm address
1829 if (!st->cache_shm && st->cache_bytes > 0) {
1831 result = util_ldap_cache_init(p, st);
1832 if (result != APR_SUCCESS) {
1833 ap_log_error(APLOG_MARK, APLOG_ERR, result, s,
1834 "LDAP cache: could not create shared memory segment");
1839 #if APR_HAS_SHARED_MEMORY
1840 if (st->cache_file) {
1841 st->lock_file = apr_pstrcat(st->pool, st->cache_file, ".lck",
1846 st->lock_file = ap_server_root_relative(st->pool, tmpnam(NULL));
1848 result = apr_global_mutex_create(&st->util_ldap_cache_lock,
1849 st->lock_file, APR_LOCK_DEFAULT,
1851 if (result != APR_SUCCESS) {
1855 #ifdef AP_NEED_SET_MUTEX_PERMS
1856 result = unixd_set_global_mutex_perms(st->util_ldap_cache_lock);
1857 if (result != APR_SUCCESS) {
1858 ap_log_error(APLOG_MARK, APLOG_CRIT, result, s,
1859 "LDAP cache: failed to set mutex permissions");
1864 /* merge config in all vhost */
1867 st_vhost = (util_ldap_state_t *)
1868 ap_get_module_config(s_vhost->module_config,
1871 #if APR_HAS_SHARED_MEMORY
1872 st_vhost->cache_shm = st->cache_shm;
1873 st_vhost->cache_rmm = st->cache_rmm;
1874 st_vhost->cache_file = st->cache_file;
1875 ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s,
1876 "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp "
1877 "for VHOST: %s", st->cache_shm, st->cache_rmm,
1878 s_vhost->server_hostname);
1880 st_vhost->lock_file = st->lock_file;
1881 s_vhost = s_vhost->next;
1883 #if APR_HAS_SHARED_MEMORY
1886 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
1887 "LDAP cache: LDAPSharedCacheSize is zero, disabling "
1888 "shared memory cache");
1892 /* log the LDAP SDK used
1895 apr_ldap_err_t *result = NULL;
1896 apr_ldap_info(p, &(result));
1897 if (result != NULL) {
1898 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s", result->reason);
1902 apr_pool_cleanup_register(p, s, util_ldap_cleanup_module,
1903 util_ldap_cleanup_module);
1906 * Initialize SSL support, and log the result for the benefit of the admin.
1908 * If SSL is not supported it is not necessarily an error, as the
1909 * application may not want to use it.
1911 rc = apr_ldap_ssl_init(p,
1915 if (APR_SUCCESS == rc) {
1916 rc = apr_ldap_set_option(p, NULL, APR_LDAP_OPT_TLS_CERT,
1917 (void *)st->global_certs, &(result_err));
1920 if (APR_SUCCESS == rc) {
1921 st->ssl_supported = 1;
1922 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
1923 "LDAP: SSL support available" );
1926 st->ssl_supported = 0;
1927 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
1928 "LDAP: SSL support unavailable%s%s",
1929 result_err ? ": " : "",
1930 result_err ? result_err->reason : "");
1936 static void util_ldap_child_init(apr_pool_t *p, server_rec *s)
1939 util_ldap_state_t *st = ap_get_module_config(s->module_config,
1942 if (!st->util_ldap_cache_lock) return;
1944 sts = apr_global_mutex_child_init(&st->util_ldap_cache_lock,
1946 if (sts != APR_SUCCESS) {
1947 ap_log_error(APLOG_MARK, APLOG_CRIT, sts, s,
1948 "Failed to initialise global mutex %s in child process %"
1950 st->lock_file, getpid());
1954 static const command_rec util_ldap_cmds[] = {
1955 AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes,
1957 "Set the size of the shared memory cache (in bytes). Use "
1958 "0 to disable the shared memory cache. (default: 100000)"),
1960 AP_INIT_TAKE1("LDAPSharedCacheFile", util_ldap_set_cache_file,
1962 "Set the file name for the shared memory cache."),
1964 AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries,
1966 "Set the maximum number of entries that are possible in the "
1967 "LDAP search cache. Use 0 for no limit. "
1968 "-1 disables the cache. (default: 1024)"),
1970 AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl,
1972 "Set the maximum time (in seconds) that an item can be "
1973 "cached in the LDAP search cache. Use 0 for no limit. "
1976 AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries,
1978 "Set the maximum number of entries that are possible "
1979 "in the LDAP compare cache. Use 0 for no limit. "
1980 "Use -1 to disable the cache. (default: 1024)"),
1982 AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl,
1984 "Set the maximum time (in seconds) that an item is cached "
1985 "in the LDAP operation cache. Use 0 for no limit. "
1988 AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
1990 "Takes three args; the file and/or directory containing "
1991 "the trusted CA certificates (and global client certs "
1992 "for Netware) used to validate the LDAP server. Second "
1993 "arg is the cert type for the first arg, one of CA_DER, "
1994 "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
1995 "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
1996 "Third arg is an optional passphrase if applicable."),
1998 AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
2000 "Takes three args; the file and/or directory containing "
2001 "the client certificate, or certificate ID used to "
2002 "validate this LDAP client. Second arg is the cert type "
2003 "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
2004 "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
2005 "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
2006 "optional passphrase if applicable."),
2008 AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
2010 "Specify the type of security that should be applied to "
2011 "an LDAP connection. One of; NONE, SSL or STARTTLS."),
2013 AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert,
2015 "Set to 'ON' requires that the server certificate be verified "
2016 "before a secure LDAP connection can be establish. Default 'ON'"),
2018 AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout,
2020 "Specify the LDAP socket connection timeout in seconds "
2026 static void util_ldap_register_hooks(apr_pool_t *p)
2028 APR_REGISTER_OPTIONAL_FN(uldap_connection_open);
2029 APR_REGISTER_OPTIONAL_FN(uldap_connection_close);
2030 APR_REGISTER_OPTIONAL_FN(uldap_connection_unbind);
2031 APR_REGISTER_OPTIONAL_FN(uldap_connection_cleanup);
2032 APR_REGISTER_OPTIONAL_FN(uldap_connection_find);
2033 APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedn);
2034 APR_REGISTER_OPTIONAL_FN(uldap_cache_compare);
2035 APR_REGISTER_OPTIONAL_FN(uldap_cache_checkuserid);
2036 APR_REGISTER_OPTIONAL_FN(uldap_cache_getuserdn);
2037 APR_REGISTER_OPTIONAL_FN(uldap_ssl_supported);
2039 ap_hook_post_config(util_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
2040 ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE);
2041 ap_hook_child_init(util_ldap_child_init, NULL, NULL, APR_HOOK_MIDDLE);
2044 module AP_MODULE_DECLARE_DATA ldap_module = {
2045 STANDARD20_MODULE_STUFF,
2046 NULL, /* create dir config */
2047 NULL, /* merge dir config */
2048 util_ldap_create_config, /* create server config */
2049 util_ldap_merge_config, /* merge server config */
2050 util_ldap_cmds, /* command table */
2051 util_ldap_register_hooks, /* set up request processing hooks */