/*

   cfg.h - definition of configuration information

   This file contains parts that were part of the nss_ldap

   library which has been forked into the nss-pam-ldapd library.

   Copyright (C) 1997-2005 Luke Howard

   Copyright (C) 2007 West Consulting

   Copyright (C) 2007-2017 Arthur de Jong

   This library is free software; you can redistribute it and/or

   modify it under the terms of the GNU Lesser General Public

   License as published by the Free Software Foundation; either

   version 2.1 of the License, or (at your option) any later version.

   This library is distributed in the hope that it will be useful,

   but WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public

   License along with this library; if not, write to the Free Software

   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

   02110-1301 USA

*/

#ifndef NSLCD__CFG_H

#define NSLCD__CFG_H

#include <unistd.h>

#include <sys/types.h>

#include <lber.h>

#include <ldap.h>

#include <regex.h>

#include <time.h>

#include "compat/attrs.h"

#include "common/set.h"

/* values for uid and gid */

#define NOUID ((gid_t)-1)

#define NOGID ((gid_t)-1)

/* maximum number of URIs */

#define NSS_LDAP_CONFIG_MAX_URIS 31

/* maximum number of search bases */

#define NSS_LDAP_CONFIG_MAX_BASES 31

/* maximum number of pam_authz_search options */

#define NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES 8

enum ldap_ssl_options {

  SSL_OFF,

  SSL_LDAPS,

  SSL_START_TLS

};

/* selectors for different maps */

enum ldap_map_selector {

  LM_ALIASES,

  LM_ETHERS,

  LM_GROUP,

  LM_HOSTS,

  LM_NETGROUP,

  LM_NETWORKS,

  LM_PASSWD,

  LM_PROTOCOLS,

  LM_RPC,

  LM_SERVICES,

  LM_SHADOW,

  LM_NFSIDMAP, /* only used for cache invalidation */

  LM_NONE

};

struct myldap_uri {

  char *uri;

  /* time of first failed operation */

  time_t firstfail;

  /* time of last failed operation */

  time_t lastfail;

};

struct ldap_config {

  int threads;    /* the number of threads to start */

  char *uidname;  /* the user name specified in the uid option */

  uid_t uid;      /* the user id nslcd should be run as */

  gid_t gid;      /* the group id nslcd should be run as */

  struct myldap_uri uris[NSS_LDAP_CONFIG_MAX_URIS + 1]; /* NULL terminated list of URIs */

  int ldap_version;   /* LDAP protocol version */

  char *binddn;       /* bind DN */

  char *bindpw;       /* bind cred */

  char *rootpwmoddn;  /* bind DN for password modification by root */

  char *rootpwmodpw;  /* bind password for password modification by root */

  char *sasl_mech;      /* SASL mechanism */

  char *sasl_realm;     /* SASL realm */

  char *sasl_authcid;   /* SASL authentication identity */

  char *sasl_authzid;   /* SASL authorization identity */

  char *sasl_secprops;  /* SASL security properties */

#ifdef LDAP_OPT_X_SASL_NOCANON

  int sasl_canonicalize; /* whether host name should be canonicalised */

#endif /* LDAP_OPT_X_SASL_NOCANON */

  const char *bases[NSS_LDAP_CONFIG_MAX_BASES]; /* search bases */

  int scope;      /* scope for searches */

  int deref;      /* dereference aliases/links */

  int referrals;  /* chase referrals */

#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)

  int pam_authc_ppolicy;    /* whether to send password policy controls on bind */

#endif

  int bind_timelimit;       /* bind timelimit */

  int timelimit;            /* search timelimit */

  int idle_timelimit;       /* idle timeout */

  int reconnect_sleeptime;  /* seconds to sleep; doubled until max */

  int reconnect_retrytime;  /* maximum seconds to sleep */

#ifdef LDAP_OPT_X_TLS

  /* SSL enabled */

  enum ldap_ssl_options ssl;

#endif /* LDAP_OPT_X_TLS */

  int pagesize; /* set to a greater than 0 to enable handling of paged results with the specified size */

  SET *nss_initgroups_ignoreusers;  /* the users for which no initgroups() searches should be done */

  uid_t nss_min_uid;  /* minimum uid for users retrieved from LDAP */

  uid_t nss_uid_offset; /* offset for uids retrieved from LDAP to avoid local uid clashes */

  gid_t nss_gid_offset; /* offset for gids retrieved from LDAP to avoid local gid clashes */

  int nss_nested_groups; /* whether to expand nested groups */

  int nss_getgrent_skipmembers;  /* whether to skip member lookups */

  int nss_disable_enumeration;  /* enumeration turned on or off */

  regex_t validnames; /* the regular expression to determine valid names */

  char *validnames_str; /* string version of validnames regexp */

  int ignorecase; /* whether or not case should be ignored in lookups */

  char *pam_authc_search; /* the search that should be performed post-authentication */

  char *pam_authz_searches[NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES]; /* the searches that should be performed to do autorisation checks */

  char *pam_password_prohibit_message;   /* whether password changing should be denied and user prompted with this message */

  char reconnect_invalidate[LM_NONE];  /* set to 1 if the corresponding map should be invalidated */

  time_t cache_dn2uid_positive;

  time_t cache_dn2uid_negative;

};

/* this is a pointer to the global configuration, it should be available

   and populated after cfg_init() is called */

extern struct ldap_config *nslcd_cfg;

/* Initialize the configuration in nslcd_cfg. This method will read the

   default configuration file and call exit() if an error occurs. */

void cfg_init(const char *fname);

#endif /* NSLCD__CFG_H */