|
Ian Kent |
ab7ff7 |
autofs-5.0.5 - add external bind method
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
From: Ian Kent <raven@themaw.net>
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
Add sasl external bind handler.
|
|
Ian Kent |
ab7ff7 |
---
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
CHANGELOG | 1
|
|
Ian Kent |
ab7ff7 |
include/lookup_ldap.h | 7 ++
|
|
Ian Kent |
ab7ff7 |
man/autofs_ldap_auth.conf.5.in | 24 +++++++-
|
|
Ian Kent |
ab7ff7 |
modules/Makefile | 5 +
|
|
Ian Kent |
ab7ff7 |
modules/cyrus-sasl-extern.c | 117 +++++++++++++++++++++++++++++++++++++++++
|
|
Ian Kent |
ab7ff7 |
modules/cyrus-sasl.c | 20 +++++++
|
|
Ian Kent |
ab7ff7 |
modules/lookup_ldap.c | 78 ++++++++++++++++++++++-----
|
|
Ian Kent |
ab7ff7 |
7 files changed, 234 insertions(+), 18 deletions(-)
|
|
Ian Kent |
ab7ff7 |
create mode 100644 modules/cyrus-sasl-extern.c
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/CHANGELOG
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/CHANGELOG
|
|
Ian Kent |
ab7ff7 |
@@ -51,6 +51,7 @@
|
|
Ian Kent |
ab7ff7 |
- fix init script status privilege error.
|
|
Ian Kent |
ab7ff7 |
- always read file maps mount lookup map read fix.
|
|
Ian Kent |
ab7ff7 |
- fix direct map not updating on reread.
|
|
Ian Kent |
ab7ff7 |
+- add external bind method.
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
03/09/2009 autofs-5.0.5
|
|
Ian Kent |
ab7ff7 |
-----------------------
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/include/lookup_ldap.h
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/include/lookup_ldap.h
|
|
Ian Kent |
ab7ff7 |
@@ -10,6 +10,7 @@
|
|
Ian Kent |
ab7ff7 |
#include <krb5.h>
|
|
Ian Kent |
ab7ff7 |
#endif
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
+#include "list.h"
|
|
Ian Kent |
ab7ff7 |
#include "dclist.h"
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
struct ldap_schema {
|
|
Ian Kent |
ab7ff7 |
@@ -76,9 +77,13 @@ struct lookup_context {
|
|
Ian Kent |
ab7ff7 |
int kinit_done;
|
|
Ian Kent |
ab7ff7 |
int kinit_successful;
|
|
Ian Kent |
ab7ff7 |
#ifdef WITH_SASL
|
|
Ian Kent |
ab7ff7 |
+ /* Kerberos */
|
|
Ian Kent |
ab7ff7 |
krb5_context krb5ctxt;
|
|
Ian Kent |
ab7ff7 |
krb5_ccache krb5_ccache;
|
|
Ian Kent |
ab7ff7 |
sasl_conn_t *sasl_conn;
|
|
Ian Kent |
ab7ff7 |
+ /* SASL external */
|
|
Ian Kent |
ab7ff7 |
+ char *extern_cert;
|
|
Ian Kent |
ab7ff7 |
+ char *extern_key;
|
|
Ian Kent |
ab7ff7 |
#endif
|
|
Ian Kent |
ab7ff7 |
/* keytab file name needs to be added */
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
@@ -111,6 +116,8 @@ int autofs_sasl_bind(unsigned logopt, LD
|
|
Ian Kent |
ab7ff7 |
void autofs_sasl_unbind(struct lookup_context *ctxt);
|
|
Ian Kent |
ab7ff7 |
void autofs_sasl_dispose(struct lookup_context *ctxt);
|
|
Ian Kent |
ab7ff7 |
void autofs_sasl_done(void);
|
|
Ian Kent |
ab7ff7 |
+/* cyrus-sasl-extern */
|
|
Ian Kent |
ab7ff7 |
+int do_sasl_extern(LDAP *ldap, struct lookup_context *ctxt);
|
|
Ian Kent |
ab7ff7 |
#endif
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
#endif
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/man/autofs_ldap_auth.conf.5.in
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/man/autofs_ldap_auth.conf.5.in
|
|
Ian Kent |
ab7ff7 |
@@ -60,12 +60,30 @@ authentication mechanism. If no suitabl
|
|
Ian Kent |
ab7ff7 |
to the ldap server are made without authentication. Finally, if it is set to
|
|
Ian Kent |
ab7ff7 |
simple, then simple authentication will be used instead of SASL.
|
|
Ian Kent |
ab7ff7 |
.TP
|
|
Ian Kent |
ab7ff7 |
-\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"\fP
|
|
Ian Kent |
ab7ff7 |
+\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"\fP
|
|
Ian Kent |
ab7ff7 |
This attribute can be used to specify a preferred authentication mechanism.
|
|
Ian Kent |
ab7ff7 |
- In normal operations, the automounter will attempt to authenticate to the
|
|
Ian Kent |
ab7ff7 |
+In normal operations, the automounter will attempt to authenticate to the
|
|
Ian Kent |
ab7ff7 |
ldap server using the list of supportedSASLmechanisms obtained from the
|
|
Ian Kent |
ab7ff7 |
directory server. Explicitly setting the authtype will bypass this selection
|
|
Ian Kent |
ab7ff7 |
-and only try the mechanism specified.
|
|
Ian Kent |
ab7ff7 |
+and only try the mechanism specified. The EXTERNAL mechanism may be used to
|
|
Ian Kent |
ab7ff7 |
+authenticate using a client certificate and requires that authrequired
|
|
Ian Kent |
ab7ff7 |
+set to "yes" if using SSL or usetls, tlsrequired and authrequired all set to
|
|
Ian Kent |
ab7ff7 |
+"yes" if using TLS, in addition to authtype being set to EXTERNAL.
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+If using authtype EXTERNAL two additional configuration entries are
|
|
Ian Kent |
ab7ff7 |
+required:
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+\fBexternal_cert="<client certificate path>"\fP
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+This specifies the path of the file containing the client certificate.
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+\fBexternal_key="<client certificate key path>"\fP
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+This specifies the path of the file containing the client certificate key.
|
|
Ian Kent |
ab7ff7 |
+.sp
|
|
Ian Kent |
ab7ff7 |
+These two configuration entries are mandatory when using the EXTERNAL method
|
|
Ian Kent |
ab7ff7 |
+as the HOME environment variable cannot be assumed to be set or, if it is,
|
|
Ian Kent |
ab7ff7 |
+to be set to the location we expect.
|
|
Ian Kent |
ab7ff7 |
.TP
|
|
Ian Kent |
ab7ff7 |
\fBuser="<username>"\fP
|
|
Ian Kent |
ab7ff7 |
This attribute holds the authentication identity used by authentication
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/modules/Makefile
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/modules/Makefile
|
|
Ian Kent |
ab7ff7 |
@@ -41,7 +41,7 @@ ifeq ($(LDAP), 1)
|
|
Ian Kent |
ab7ff7 |
SRCS += lookup_ldap.c
|
|
Ian Kent |
ab7ff7 |
MODS += lookup_ldap.so
|
|
Ian Kent |
ab7ff7 |
ifeq ($(SASL), 1)
|
|
Ian Kent |
ab7ff7 |
- SASL_OBJ = cyrus-sasl.o
|
|
Ian Kent |
ab7ff7 |
+ SASL_OBJ = cyrus-sasl.o cyrus-sasl-extern.o
|
|
Ian Kent |
ab7ff7 |
LDAP_FLAGS += $(SASL_FLAGS) $(XML_FLAGS) $(KRB5_FLAGS) -DLDAP_THREAD_SAFE
|
|
Ian Kent |
ab7ff7 |
LIBLDAP += $(LIBSASL) $(XML_LIBS) $(KRB5_LIBS)
|
|
Ian Kent |
ab7ff7 |
endif
|
|
Ian Kent |
ab7ff7 |
@@ -92,6 +92,9 @@ lookup_hesiod.so: lookup_hesiod.c
|
|
Ian Kent |
ab7ff7 |
cyrus-sasl.o: cyrus-sasl.c
|
|
Ian Kent |
ab7ff7 |
$(CC) $(CFLAGS) $(LDAP_FLAGS) -c $<
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
+cyrus-sasl-extern.o: cyrus-sasl-extern.c
|
|
Ian Kent |
ab7ff7 |
+ $(CC) $(CFLAGS) $(LDAP_FLAGS) -c $<
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
lookup_ldap.so: lookup_ldap.c dclist.o $(SASL_OBJ)
|
|
Ian Kent |
ab7ff7 |
$(CC) $(SOLDFLAGS) $(CFLAGS) $(LDAP_FLAGS) -o lookup_ldap.so \
|
|
Ian Kent |
ab7ff7 |
lookup_ldap.c dclist.o $(SASL_OBJ) \
|
|
Ian Kent |
ab7ff7 |
--- /dev/null
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/modules/cyrus-sasl-extern.c
|
|
Ian Kent |
ab7ff7 |
@@ -0,0 +1,117 @@
|
|
Ian Kent |
ab7ff7 |
+/*
|
|
Ian Kent |
ab7ff7 |
+ * cyrus-sasl-extern.c - Module for Cyrus sasl external authentication.
|
|
Ian Kent |
ab7ff7 |
+ *
|
|
Ian Kent |
ab7ff7 |
+ * Copyright 2010 Ian Kent <raven@themaw.net>
|
|
Ian Kent |
ab7ff7 |
+ * Copyright 2010 Red Hat, Inc.
|
|
Ian Kent |
ab7ff7 |
+ * All rights reserved.
|
|
Ian Kent |
ab7ff7 |
+ *
|
|
Ian Kent |
ab7ff7 |
+ * This program is free software; you can redistribute it and/or modify
|
|
Ian Kent |
ab7ff7 |
+ * it under the terms of the GNU General Public License as published by
|
|
Ian Kent |
ab7ff7 |
+ * the Free Software Foundation, Inc., 675 Mass Ave, Cambridge MA 02139,
|
|
Ian Kent |
ab7ff7 |
+ * USA; either version 2 of the License, or (at your option) any later
|
|
Ian Kent |
ab7ff7 |
+ * version.
|
|
Ian Kent |
ab7ff7 |
+ *
|
|
Ian Kent |
ab7ff7 |
+ * This program is distributed in the hope that it will be useful,
|
|
Ian Kent |
ab7ff7 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Ian Kent |
ab7ff7 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Ian Kent |
ab7ff7 |
+ * GNU General Public License for more details.
|
|
Ian Kent |
ab7ff7 |
+ */
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+#include "config.h"
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+#ifdef WITH_SASL
|
|
Ian Kent |
ab7ff7 |
+#include <stdio.h>
|
|
Ian Kent |
ab7ff7 |
+#include <stdlib.h>
|
|
Ian Kent |
ab7ff7 |
+#include <string.h>
|
|
Ian Kent |
ab7ff7 |
+#include <unistd.h>
|
|
Ian Kent |
ab7ff7 |
+#include <sasl/sasl.h>
|
|
Ian Kent |
ab7ff7 |
+#include <ldap.h>
|
|
Ian Kent |
ab7ff7 |
+#include <ldap_cdefs.h>
|
|
Ian Kent |
ab7ff7 |
+#include <lber_types.h>
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+#include "lookup_ldap.h"
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+struct values {
|
|
Ian Kent |
ab7ff7 |
+ char *mech;
|
|
Ian Kent |
ab7ff7 |
+ char *realm;
|
|
Ian Kent |
ab7ff7 |
+ char *authcid;
|
|
Ian Kent |
ab7ff7 |
+ char *authzid;
|
|
Ian Kent |
ab7ff7 |
+ char *password;
|
|
Ian Kent |
ab7ff7 |
+ char **resps;
|
|
Ian Kent |
ab7ff7 |
+ int nresps;
|
|
Ian Kent |
ab7ff7 |
+};
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+static int interaction(unsigned flags, sasl_interact_t *interact, void *values)
|
|
Ian Kent |
ab7ff7 |
+{
|
|
Ian Kent |
ab7ff7 |
+ const char *val = interact->defresult;
|
|
Ian Kent |
ab7ff7 |
+ struct values *vals = values;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ switch(interact->id) {
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_GETREALM:
|
|
Ian Kent |
ab7ff7 |
+ if (values)
|
|
Ian Kent |
ab7ff7 |
+ val = vals->realm;
|
|
Ian Kent |
ab7ff7 |
+ break;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_AUTHNAME:
|
|
Ian Kent |
ab7ff7 |
+ if (values)
|
|
Ian Kent |
ab7ff7 |
+ val = vals->authcid;
|
|
Ian Kent |
ab7ff7 |
+ break;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_PASS:
|
|
Ian Kent |
ab7ff7 |
+ if (values)
|
|
Ian Kent |
ab7ff7 |
+ val = vals->password;
|
|
Ian Kent |
ab7ff7 |
+ break;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_USER:
|
|
Ian Kent |
ab7ff7 |
+ if (values)
|
|
Ian Kent |
ab7ff7 |
+ val = vals->authzid;
|
|
Ian Kent |
ab7ff7 |
+ break;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_NOECHOPROMPT:
|
|
Ian Kent |
ab7ff7 |
+ case SASL_CB_ECHOPROMPT:
|
|
Ian Kent |
ab7ff7 |
+ break;
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ if (val && !*val)
|
|
Ian Kent |
ab7ff7 |
+ val = NULL;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ if (val || interact->id == SASL_CB_USER) {
|
|
Ian Kent |
ab7ff7 |
+ interact->result = (val && *val) ? val : "";
|
|
Ian Kent |
ab7ff7 |
+ interact->len = strlen(interact->result);
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ return LDAP_SUCCESS;
|
|
Ian Kent |
ab7ff7 |
+}
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+int sasl_extern_interact(LDAP *ldap, unsigned flags, void *values, void *list)
|
|
Ian Kent |
ab7ff7 |
+{
|
|
Ian Kent |
ab7ff7 |
+ sasl_interact_t *interact = list;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ if (!ldap)
|
|
Ian Kent |
ab7ff7 |
+ return LDAP_PARAM_ERROR;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ while (interact->id != SASL_CB_LIST_END) {
|
|
Ian Kent |
ab7ff7 |
+ int rc = interaction(flags, interact, values);
|
|
Ian Kent |
ab7ff7 |
+ if (rc)
|
|
Ian Kent |
ab7ff7 |
+ return rc;
|
|
Ian Kent |
ab7ff7 |
+ interact++;
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ return LDAP_SUCCESS;
|
|
Ian Kent |
ab7ff7 |
+}
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+int do_sasl_extern(LDAP *ldap, struct lookup_context *ctxt)
|
|
Ian Kent |
ab7ff7 |
+{
|
|
Ian Kent |
ab7ff7 |
+ int flags = LDAP_SASL_QUIET;
|
|
Ian Kent |
ab7ff7 |
+ char *mech = ctxt->sasl_mech;
|
|
Ian Kent |
ab7ff7 |
+ struct values values;
|
|
Ian Kent |
ab7ff7 |
+ int rc;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ memset(&values, 0, sizeof(struct values));
|
|
Ian Kent |
ab7ff7 |
+ values.mech = mech;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ rc = ldap_sasl_interactive_bind_s(ldap, NULL, mech, NULL, NULL,
|
|
Ian Kent |
ab7ff7 |
+ flags, sasl_extern_interact, &values);
|
|
Ian Kent |
ab7ff7 |
+ return rc;
|
|
Ian Kent |
ab7ff7 |
+}
|
|
Ian Kent |
ab7ff7 |
+#endif
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/modules/cyrus-sasl.c
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/modules/cyrus-sasl.c
|
|
Ian Kent |
ab7ff7 |
@@ -875,6 +875,26 @@ autofs_sasl_bind(unsigned logopt, LDAP *
|
|
Ian Kent |
ab7ff7 |
if (ctxt->sasl_conn)
|
|
Ian Kent |
ab7ff7 |
return 0;
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
+ if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "EXTERNAL", 8)) {
|
|
Ian Kent |
ab7ff7 |
+ int result;
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt,
|
|
Ian Kent |
ab7ff7 |
+ "Attempting sasl bind with mechanism %s",
|
|
Ian Kent |
ab7ff7 |
+ ctxt->sasl_mech);
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ result = do_sasl_extern(ldap, ctxt);
|
|
Ian Kent |
ab7ff7 |
+ if (result)
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt,
|
|
Ian Kent |
ab7ff7 |
+ "Failed to authenticate with mech %s",
|
|
Ian Kent |
ab7ff7 |
+ ctxt->sasl_mech);
|
|
Ian Kent |
ab7ff7 |
+ else
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt,
|
|
Ian Kent |
ab7ff7 |
+ "sasl bind with mechanism %s succeeded",
|
|
Ian Kent |
ab7ff7 |
+ ctxt->sasl_mech);
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
+ return result;
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
sasl_auth_id = ctxt->user;
|
|
Ian Kent |
ab7ff7 |
sasl_auth_secret = ctxt->secret;
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
--- autofs-5.0.5.orig/modules/lookup_ldap.c
|
|
Ian Kent |
ab7ff7 |
+++ autofs-5.0.5/modules/lookup_ldap.c
|
|
Ian Kent |
ab7ff7 |
@@ -41,6 +41,9 @@
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
int lookup_version = AUTOFS_LOOKUP_VERSION; /* Required by protocol */
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
+#define ENV_LDAPTLS_CERT "LDAPTLS_CERT"
|
|
Ian Kent |
ab7ff7 |
+#define ENV_LDAPTLS_KEY "LDAPTLS_KEY"
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
static struct ldap_schema common_schema[] = {
|
|
Ian Kent |
ab7ff7 |
{"nisMap", "nisMapName", "nisObject", "cn", "nisMapEntry"},
|
|
Ian Kent |
ab7ff7 |
{"automountMap", "ou", "automount", "cn", "automountInformation"},
|
|
Ian Kent |
ab7ff7 |
@@ -61,6 +64,16 @@ struct ldap_search_params {
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
static int decode_percent_hack(const char *, char **);
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
+static int set_env(unsigned logopt, const char *name, const char *val)
|
|
Ian Kent |
ab7ff7 |
+{
|
|
Ian Kent |
ab7ff7 |
+ int ret = setenv(name, val, 1);
|
|
Ian Kent |
ab7ff7 |
+ if (ret == -1) {
|
|
Ian Kent |
ab7ff7 |
+ error(logopt, "failed to set config value for %s", name);
|
|
Ian Kent |
ab7ff7 |
+ return 0;
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
+ return 1;
|
|
Ian Kent |
ab7ff7 |
+}
|
|
Ian Kent |
ab7ff7 |
+
|
|
Ian Kent |
ab7ff7 |
#ifndef HAVE_LDAP_CREATE_PAGE_CONTROL
|
|
Ian Kent |
ab7ff7 |
int ldap_create_page_control(LDAP *ldap, ber_int_t pagesize,
|
|
Ian Kent |
ab7ff7 |
struct berval *cookie, char isCritical,
|
|
Ian Kent |
ab7ff7 |
@@ -578,13 +591,17 @@ static LDAP *do_connect(unsigned logopt,
|
|
Ian Kent |
ab7ff7 |
{
|
|
Ian Kent |
ab7ff7 |
LDAP *ldap;
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
- ldap = init_ldap_connection(logopt, uri, ctxt);
|
|
Ian Kent |
ab7ff7 |
- if (!ldap)
|
|
Ian Kent |
ab7ff7 |
- return NULL;
|
|
Ian Kent |
ab7ff7 |
+ if (ctxt->extern_cert && ctxt->extern_key) {
|
|
Ian Kent |
ab7ff7 |
+ set_env(logopt, ENV_LDAPTLS_CERT, ctxt->extern_cert);
|
|
Ian Kent |
ab7ff7 |
+ set_env(logopt, ENV_LDAPTLS_KEY, ctxt->extern_key);
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
- if (!do_bind(logopt, ldap, uri, ctxt)) {
|
|
Ian Kent |
ab7ff7 |
- unbind_ldap_connection(logopt, ldap, ctxt);
|
|
Ian Kent |
ab7ff7 |
- return NULL;
|
|
Ian Kent |
ab7ff7 |
+ ldap = init_ldap_connection(logopt, uri, ctxt);
|
|
Ian Kent |
ab7ff7 |
+ if (ldap) {
|
|
Ian Kent |
ab7ff7 |
+ if (!do_bind(logopt, ldap, uri, ctxt)) {
|
|
Ian Kent |
ab7ff7 |
+ unbind_ldap_connection(logopt, ldap, ctxt);
|
|
Ian Kent |
ab7ff7 |
+ ldap = NULL;
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
}
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
return ldap;
|
|
Ian Kent |
ab7ff7 |
@@ -839,6 +856,7 @@ int parse_ldap_config(unsigned logopt, s
|
|
Ian Kent |
ab7ff7 |
xmlNodePtr root = NULL;
|
|
Ian Kent |
ab7ff7 |
char *authrequired, *auth_conf, *authtype;
|
|
Ian Kent |
ab7ff7 |
char *user = NULL, *secret = NULL;
|
|
Ian Kent |
ab7ff7 |
+ char *extern_cert = NULL, *extern_key = NULL;
|
|
Ian Kent |
ab7ff7 |
char *client_princ = NULL, *client_cc = NULL;
|
|
Ian Kent |
ab7ff7 |
char *usetls, *tlsrequired;
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
@@ -1023,6 +1041,26 @@ int parse_ldap_config(unsigned logopt, s
|
|
Ian Kent |
ab7ff7 |
ret = -1;
|
|
Ian Kent |
ab7ff7 |
goto out;
|
|
Ian Kent |
ab7ff7 |
}
|
|
Ian Kent |
ab7ff7 |
+ } else if (auth_required == LDAP_AUTH_REQUIRED &&
|
|
Ian Kent |
ab7ff7 |
+ (authtype && !strncmp(authtype, "EXTERNAL", 8))) {
|
|
Ian Kent |
ab7ff7 |
+ ret = get_property(logopt, root, "external_cert", &extern_cert);
|
|
Ian Kent |
ab7ff7 |
+ ret |= get_property(logopt, root, "external_key", &extern_key);
|
|
Ian Kent |
ab7ff7 |
+ /*
|
|
Ian Kent |
ab7ff7 |
+ * For EXTERNAL auth to function we need a client certificate
|
|
Ian Kent |
ab7ff7 |
+ * and and certificate key. The ca certificate used to verify
|
|
Ian Kent |
ab7ff7 |
+ * the server certificate must also be set correctly in the
|
|
Ian Kent |
ab7ff7 |
+ * global configuration as the connection must be encrypted
|
|
Ian Kent |
ab7ff7 |
+ * and the server and client certificates must have been
|
|
Ian Kent |
ab7ff7 |
+ * verified for the EXTERNAL method to be offerred by the
|
|
Ian Kent |
ab7ff7 |
+ * server. If the cert and key have not been set in the autofs
|
|
Ian Kent |
ab7ff7 |
+ * configuration they must be set in the ldap rc file.
|
|
Ian Kent |
ab7ff7 |
+ */
|
|
Ian Kent |
ab7ff7 |
+ if (ret != 0 || !extern_cert || !extern_key) {
|
|
Ian Kent |
ab7ff7 |
+ if (extern_cert)
|
|
Ian Kent |
ab7ff7 |
+ free(extern_cert);
|
|
Ian Kent |
ab7ff7 |
+ if (extern_key)
|
|
Ian Kent |
ab7ff7 |
+ free(extern_key);
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
}
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
/*
|
|
Ian Kent |
ab7ff7 |
@@ -1043,6 +1081,8 @@ int parse_ldap_config(unsigned logopt, s
|
|
Ian Kent |
ab7ff7 |
ctxt->secret = secret;
|
|
Ian Kent |
ab7ff7 |
ctxt->client_princ = client_princ;
|
|
Ian Kent |
ab7ff7 |
ctxt->client_cc = client_cc;
|
|
Ian Kent |
ab7ff7 |
+ ctxt->extern_cert = extern_cert;
|
|
Ian Kent |
ab7ff7 |
+ ctxt->extern_key = extern_key;
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
debug(logopt, MODPREFIX
|
|
Ian Kent |
ab7ff7 |
"ldap authentication configured with the following options:");
|
|
Ian Kent |
ab7ff7 |
@@ -1052,14 +1092,20 @@ int parse_ldap_config(unsigned logopt, s
|
|
Ian Kent |
ab7ff7 |
"auth_required: %u, "
|
|
Ian Kent |
ab7ff7 |
"sasl_mech: %s",
|
|
Ian Kent |
ab7ff7 |
use_tls, tls_required, auth_required, authtype);
|
|
Ian Kent |
ab7ff7 |
- debug(logopt, MODPREFIX
|
|
Ian Kent |
ab7ff7 |
- "user: %s, "
|
|
Ian Kent |
ab7ff7 |
- "secret: %s, "
|
|
Ian Kent |
ab7ff7 |
- "client principal: %s "
|
|
Ian Kent |
ab7ff7 |
- "credential cache: %s",
|
|
Ian Kent |
ab7ff7 |
- user, secret ? "specified" : "unspecified",
|
|
Ian Kent |
ab7ff7 |
- client_princ, client_cc);
|
|
Ian Kent |
ab7ff7 |
-
|
|
Ian Kent |
ab7ff7 |
+ if (authtype && !strncmp(authtype, "EXTERNAL", 8)) {
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt, MODPREFIX "external cert: %s",
|
|
Ian Kent |
ab7ff7 |
+ extern_cert ? extern_cert : "ldap default");
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt, MODPREFIX "external key: %s ",
|
|
Ian Kent |
ab7ff7 |
+ extern_key ? extern_key : "ldap default");
|
|
Ian Kent |
ab7ff7 |
+ } else {
|
|
Ian Kent |
ab7ff7 |
+ debug(logopt, MODPREFIX
|
|
Ian Kent |
ab7ff7 |
+ "user: %s, "
|
|
Ian Kent |
ab7ff7 |
+ "secret: %s, "
|
|
Ian Kent |
ab7ff7 |
+ "client principal: %s "
|
|
Ian Kent |
ab7ff7 |
+ "credential cache: %s",
|
|
Ian Kent |
ab7ff7 |
+ user, secret ? "specified" : "unspecified",
|
|
Ian Kent |
ab7ff7 |
+ client_princ, client_cc);
|
|
Ian Kent |
ab7ff7 |
+ }
|
|
Ian Kent |
ab7ff7 |
out:
|
|
Ian Kent |
ab7ff7 |
xmlFreeDoc(doc);
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
@@ -1326,6 +1372,10 @@ static void free_context(struct lookup_c
|
|
Ian Kent |
ab7ff7 |
defaults_free_searchdns(ctxt->sdns);
|
|
Ian Kent |
ab7ff7 |
if (ctxt->dclist)
|
|
Ian Kent |
ab7ff7 |
free_dclist(ctxt->dclist);
|
|
Ian Kent |
ab7ff7 |
+ if (ctxt->extern_cert)
|
|
Ian Kent |
ab7ff7 |
+ free(ctxt->extern_cert);
|
|
Ian Kent |
ab7ff7 |
+ if (ctxt->extern_key)
|
|
Ian Kent |
ab7ff7 |
+ free(ctxt->extern_key);
|
|
Ian Kent |
ab7ff7 |
free(ctxt);
|
|
Ian Kent |
ab7ff7 |
|
|
Ian Kent |
ab7ff7 |
return;
|