28 #ifdef ENABLE_LDAP_AUTH 36 #include <glib/gstdio.h> 41 #include "../base/openvas_string.h" 47 #define G_LOG_DOMAIN "lib ldap" 49 #define KEY_LDAP_HOST "ldaphost" 50 #define KEY_LDAP_DN_AUTH "authdn" 78 if (info == NULL || username == NULL || password == NULL || !info->
ldap_host)
80 g_debug (
"Not attempting ldap_connect: missing parameter.");
84 dn = ldap_auth_info_auth_dn (info, username);
91 g_debug (
"Could not bind to ldap host %s", info->
ldap_host);
95 ldap_unbind_ext_s (ldap, NULL, NULL);
116 gboolean allow_plaintext)
119 if (!ldap_host || !auth_dn)
122 if (ldap_auth_dn_is_good (auth_dn) == FALSE)
127 info->
auth_dn = g_strdup (auth_dn);
160 ldap_auth_info_auth_dn (
const ldap_auth_info_t info,
const gchar * username)
162 if (info == NULL || username == NULL)
165 gchar *dn = g_strdup_printf (info->
auth_dn, username);
184 ldap_auth_bind (
const gchar *host,
const gchar *userdn,
185 const gchar *password, gboolean force_encryption,
190 int ldapv3 = LDAP_VERSION3;
191 gchar *ldapuri = NULL;
192 struct berval credential;
196 if (host == NULL || userdn == NULL || password == NULL)
201 if (strlen(password) == 0)
204 if (force_encryption == FALSE)
205 g_warning (
"Allowed plaintext LDAP authentication.");
212 fd = g_file_open_tmp (NULL, &
name, &error);
215 g_warning (
"Could not open temp file for LDAP CACERTFILE: %s",
217 g_error_free (error);
221 if (g_chmod (
name, 0600))
222 g_warning (
"Could not chmod for LDAP CACERTFILE");
224 g_file_set_contents (
name, cacert, strlen (cacert), &error);
227 g_warning (
"Could not write LDAP CACERTFILE: %s",
229 g_error_free (error);
233 if (ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
name)
235 g_warning (
"Could not set LDAP CACERTFILE option.");
242 ldapuri = g_strconcat (
"ldap://", host, NULL);
244 ldap_return = ldap_initialize (&ldap, ldapuri);
246 if (ldap == NULL || ldap_return != LDAP_SUCCESS)
248 g_warning (
"Could not open LDAP connection for authentication.");
254 ldap_return = ldap_set_option (ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapv3);
255 if (ldap_return != LDAP_SUCCESS)
257 g_warning (
"Aborting, could not set ldap protocol version to 3: %s.",
258 ldap_err2string (ldap_return));
263 ldap_return = ldap_start_tls_s (ldap, NULL, NULL);
264 if (ldap_return != LDAP_SUCCESS)
267 g_warning (
"StartTLS failed, trying to establish ldaps connection.");
269 ldapuri = g_strconcat (
"ldaps://", host, NULL);
271 ldap_return = ldap_initialize (&ldap, ldapuri);
272 if (ldap == NULL || ldap_return != LDAP_SUCCESS)
274 if (force_encryption == TRUE)
277 (
"Aborting ldap authentication: Could not init LDAP StartTLS nor ldaps: %s.",
278 ldap_err2string (ldap_return));
284 g_warning (
"Could not init LDAP StartTLS, nor ldaps: %s.",
285 ldap_err2string (ldap_return));
286 g_warning (
"Reinit LDAP connection to do plaintext authentication");
287 ldap_unbind_ext_s (ldap, NULL, NULL);
291 ldap_return = ldap_initialize (&ldap, ldapuri);
292 if (ldap == NULL || ldap_return != LDAP_SUCCESS)
294 g_warning (
"Could not reopen LDAP connection for authentication.");
302 g_debug (
"LDAP StartTLS initialized.");
308 gchar *use_dn = NULL;
312 if (ldap_str2dn (userdn, &dn, LDAP_DN_FORMAT_LDAPV3) == LDAP_SUCCESS)
314 gchar **use_uid = NULL;
317 uid = g_strsplit (userdn,
",",2);
318 use_uid = g_strsplit (uid[0],
"=", 2);
320 if (!g_strcmp0 (use_uid[0],
"uid"))
327 g_strfreev (use_uid);
335 credential.bv_val = NULL;
336 credential.bv_len = 0U;
337 ldap_return = ldap_sasl_bind_s (ldap, NULL, LDAP_SASL_SIMPLE,
338 &credential, NULL, NULL, NULL);
339 if (ldap_return != LDAP_SUCCESS)
341 g_warning (
"LDAP anonymous authentication failure: %s",
342 ldap_err2string (ldap_return));
347 char *attrs[2] = {
"dn", NULL };
348 LDAPMessage *result = NULL;
349 gchar **base = g_strsplit (userdn,
",", 2);
353 ldap_search_ext_s (ldap, base[1], LDAP_SCOPE_SUBTREE, uid[0], attrs,
354 0, NULL, NULL, NULL, 1, &result);
359 if (ldap_return != LDAP_SUCCESS)
360 use_dn = g_strdup (userdn);
364 found_dn = ldap_get_dn (ldap, result);
365 if ((found_dn == NULL) || (strlen (found_dn) == 0U))
366 use_dn = g_strdup (userdn);
368 use_dn = g_strdup (found_dn);
369 ldap_memfree (found_dn);
371 ldap_msgfree (result);
375 use_dn = g_strdup (userdn);
379 credential.bv_val = g_strdup (password);
380 credential.bv_len = strlen (password);
381 ldap_return = ldap_sasl_bind_s (ldap, use_dn, LDAP_SASL_SIMPLE,
382 &credential, NULL, NULL, NULL);
383 g_free (credential.bv_val);
385 if (ldap_return != LDAP_SUCCESS)
387 g_warning (
"LDAP authentication failure: %s.",
388 ldap_err2string (ldap_return));
420 ldap_auth_dn_is_good (
const gchar * authdn)
426 if (authdn == NULL || authdn[0] ==
'\0')
430 if (!strstr (authdn,
"%s"))
434 char *pos = strchr (authdn,
'%');
435 pos = strchr (pos + 1,
'%');
439 ln = strlen (authdn);
442 if (strchr (authdn,
'\\') && authdn[ln-2] ==
'%' && authdn[ln-1] ==
's')
446 if (authdn[0] ==
'%' && authdn[1] ==
's' && authdn[2] ==
'@')
450 eg = g_strdup_printf (authdn,
"example");
452 if (ldap_str2dn (eg, &dn, LDAP_DN_FORMAT_LDAPV3))
480 gboolean allow_plaintext)
484 (void) allow_plaintext;
struct ldap_auth_info * ldap_auth_info_t
Authentication schema and address type.
gchar * ldap_host
Address of the ldap server, might include port.
int ldap_connect_authenticate(const gchar *username, const gchar *password, void *ldap_auth_info, const gchar *cacert)
Dummy function for Manager.
gchar * auth_dn
DN to authenticate with.
gboolean allow_plaintext
!Whether or not StartTLS is required.
void ldap_auth_info_free(ldap_auth_info_t info)
Dummy function for Manager.
ldap_auth_info_t ldap_auth_info_new(const gchar *ldap_host, const gchar *auth_dn, gboolean allow_plaintext)
Dummy function for manager.
Schema (dn) and info to use for a basic ldap authentication.