1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
22 /* this whole thing disappears if LDAP is not enabled */
25 /* APR header files */
26 #include <apr_thread_mutex.h>
27 #include <apr_thread_rwlock.h>
28 #include <apr_tables.h>
31 /* Apache header files */
32 #include "ap_config.h"
34 #include "http_config.h"
35 #include "http_core.h"
37 #include "http_protocol.h"
38 #include "http_request.h"
40 #if APR_HAS_SHARED_MEMORY
45 /* Create a set of LDAP_DECLARE(type), LDLDAP_DECLARE(type) and
46 * LDAP_DECLARE_DATA with appropriate export and import tags for the platform
49 #define LDAP_DECLARE(type) type
50 #define LDAP_DECLARE_NONSTD(type) type
51 #define LDAP_DECLARE_DATA
52 #elif defined(LDAP_DECLARE_STATIC)
53 #define LDAP_DECLARE(type) type __stdcall
54 #define LDAP_DECLARE_NONSTD(type) type
55 #define LDAP_DECLARE_DATA
56 #elif defined(LDAP_DECLARE_EXPORT)
57 #define LDAP_DECLARE(type) __declspec(dllexport) type __stdcall
58 #define LDAP_DECLARE_NONSTD(type) __declspec(dllexport) type
59 #define LDAP_DECLARE_DATA __declspec(dllexport)
61 #define LDAP_DECLARE(type) __declspec(dllimport) type __stdcall
62 #define LDAP_DECLARE_NONSTD(type) __declspec(dllimport) type
63 #define LDAP_DECLARE_DATA __declspec(dllimport)
70 /* Values that the deref member can have */
72 never=LDAP_DEREF_NEVER,
73 searching=LDAP_DEREF_SEARCHING,
74 finding=LDAP_DEREF_FINDING,
75 always=LDAP_DEREF_ALWAYS
78 /* Structure representing an LDAP connection */
79 typedef struct util_ldap_connection_t {
81 apr_pool_t *pool; /* Pool from which this connection is created */
83 apr_thread_mutex_t *lock; /* Lock to indicate this connection is in use */
85 int bound; /* Flag to indicate whether this connection is bound yet */
87 const char *host; /* Name of the LDAP server (or space separated list) */
88 int port; /* Port of the LDAP server */
89 deref_options deref; /* how to handle alias dereferening */
91 const char *binddn; /* DN to bind to server (can be NULL) */
92 const char *bindpw; /* Password to bind to server (can be NULL) */
94 int secure; /* True if use SSL connection */
96 const char *reason; /* Reason for an error failure */
98 struct util_ldap_connection_t *next;
99 } util_ldap_connection_t;
101 /* LDAP cache state information */
102 typedef struct util_ldap_state_t {
103 apr_pool_t *pool; /* pool from which this state is allocated */
105 apr_thread_mutex_t *mutex; /* mutex lock for the connection list */
107 apr_global_mutex_t *util_ldap_cache_lock;
109 apr_size_t cache_bytes; /* Size (in bytes) of shared memory cache */
110 char *cache_file; /* filename for shm */
111 long search_cache_ttl; /* TTL for search cache */
112 long search_cache_size; /* Size (in entries) of search cache */
113 long compare_cache_ttl; /* TTL for compare cache */
114 long compare_cache_size; /* Size (in entries) of compare cache */
116 struct util_ldap_connection_t *connections;
117 char *cert_auth_file;
121 #if APR_HAS_SHARED_MEMORY
122 apr_shm_t *cache_shm;
123 apr_rmm_t *cache_rmm;
127 void *util_ldap_cache;
128 char *lock_file; /* filename for shm lock mutex */
129 int connectionTimeout;
135 * Open a connection to an LDAP server
136 * @param ldc A structure containing the expanded details of the server
137 * to connect to. The handle to the LDAP connection is returned
139 * @tip This function connects to the LDAP server and binds. It does not
140 * connect if already connected (ldc->ldap != NULL). Does not bind
142 * @return If successful LDAP_SUCCESS is returned.
143 * @deffunc int util_ldap_connection_open(request_rec *r,
144 * util_ldap_connection_t *ldc)
146 LDAP_DECLARE(int) util_ldap_connection_open(request_rec *r,
147 util_ldap_connection_t *ldc);
150 * Close a connection to an LDAP server
151 * @param ldc A structure containing the expanded details of the server
152 * that was connected.
153 * @tip This function unbinds from the LDAP server, and clears ldc->ldap.
154 * It is possible to rebind to this server again using the same ldc
155 * structure, using apr_ldap_open_connection().
156 * @deffunc util_ldap_close_connection(util_ldap_connection_t *ldc)
158 LDAP_DECLARE(void) util_ldap_connection_close(util_ldap_connection_t *ldc);
161 * Unbind a connection to an LDAP server
162 * @param ldc A structure containing the expanded details of the server
163 * that was connected.
164 * @tip This function unbinds the LDAP connection, and disconnects from
165 * the server. It is used during error conditions, to bring the LDAP
166 * connection back to a known state.
167 * @deffunc apr_status_t util_ldap_connection_unbind(util_ldap_connection_t *ldc)
169 LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_unbind(void *param);
172 * Cleanup a connection to an LDAP server
173 * @param ldc A structure containing the expanded details of the server
174 * that was connected.
175 * @tip This function is registered with the pool cleanup to close down the
176 * LDAP connections when the server is finished with them.
177 * @deffunc apr_status_t util_ldap_connection_cleanup(util_ldap_connection_t *ldc)
179 LDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_cleanup(void *param);
182 * Find a connection in a list of connections
183 * @param r The request record
184 * @param host The hostname to connect to (multiple hosts space separated)
185 * @param port The port to connect to
186 * @param binddn The DN to bind with
187 * @param bindpw The password to bind with
188 * @param deref The dereferencing behavior
189 * @param secure use SSL on the connection
190 * @tip Once a connection is found and returned, a lock will be acquired to
191 * lock that particular connection, so that another thread does not try and
192 * use this connection while it is busy. Once you are finished with a connection,
193 * apr_ldap_connection_close() must be called to release this connection.
194 * @deffunc util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port,
195 * const char *binddn, const char *bindpw, deref_options deref,
196 * int netscapessl, int starttls)
198 LDAP_DECLARE(util_ldap_connection_t *) util_ldap_connection_find(request_rec *r, const char *host, int port,
199 const char *binddn, const char *bindpw, deref_options deref,
204 * Compare two DNs for sameness
205 * @param r The request record
206 * @param ldc The LDAP connection being used.
207 * @param url The URL of the LDAP connection - used for deciding which cache to use.
208 * @param dn The first DN to compare.
209 * @param reqdn The DN to compare the first DN to.
210 * @param compare_dn_on_server Flag to determine whether the DNs should be checked using
211 * LDAP calls or with a direct string comparision. A direct
212 * string comparison is faster, but not as accurate - false
213 * negative comparisons are possible.
214 * @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com"
215 * and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious
216 * performance issues.
217 * @deffunc int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
218 * const char *url, const char *dn, const char *reqdn,
219 * int compare_dn_on_server)
221 LDAP_DECLARE(int) util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
222 const char *url, const char *dn, const char *reqdn,
223 int compare_dn_on_server);
226 * A generic LDAP compare function
227 * @param r The request record
228 * @param ldc The LDAP connection being used.
229 * @param url The URL of the LDAP connection - used for deciding which cache to use.
230 * @param dn The DN of the object in which we do the compare.
231 * @param attrib The attribute within the object we are comparing for.
232 * @param value The value of the attribute we are trying to compare for.
233 * @tip Use this function to determine whether an attribute/value pair exists within an
234 * object. Typically this would be used to determine LDAP group membership.
235 * @deffunc int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
236 * const char *url, const char *dn, const char *attrib, const char *value)
238 LDAP_DECLARE(int) util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
239 const char *url, const char *dn, const char *attrib, const char *value);
242 * Checks a username/password combination by binding to the LDAP server
243 * @param r The request record
244 * @param ldc The LDAP connection being used.
245 * @param url The URL of the LDAP connection - used for deciding which cache to use.
246 * @param basedn The Base DN to search for the user in.
247 * @param scope LDAP scope of the search.
248 * @param attrs LDAP attributes to return in search.
249 * @param filter The user to search for in the form of an LDAP filter. This filter must return
250 * exactly one user for the check to be successful.
251 * @param bindpw The user password to bind as.
252 * @param binddn The DN of the user will be returned in this variable.
253 * @param retvals The values corresponding to the attributes requested in the attrs array.
254 * @tip The filter supplied will be searched for. If a single entry is returned, an attempt
255 * is made to bind as that user. If this bind succeeds, the user is not validated.
256 * @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
257 * char *url, const char *basedn, int scope, char **attrs,
258 * char *filter, char *bindpw, char **binddn, char ***retvals)
260 LDAP_DECLARE(int) util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
261 const char *url, const char *basedn, int scope, char **attrs,
262 const char *filter, const char *bindpw, const char **binddn, const char ***retvals);
265 * Retrieves the LDAP DN of the user without the need to know user password
266 * @param r The request record
267 * @param ldc The LDAP connection being used.
268 * @param url The URL of the LDAP connection - used for deciding which cache to use.
269 * @param basedn The Base DN to search for the user in.
270 * @param scope LDAP scope of the search.
271 * @param attrs LDAP attributes to return in search.
272 * @param filter The user to search for in the form of an LDAP filter. This filter must return
273 * exactly one user for the check to be successful.
274 * @param binddn The DN of the user will be returned in this variable.
275 * @param retvals The values corresponding to the attributes requested in the attrs array.
276 * @tip The filter supplied will be searched for. A single entry matching the search is returned.
277 * @deffunc int util_ldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
278 * char *url, const char *basedn, int scope, char **attrs,
279 * char *filter, char **binddn, char ***retvals)
281 LDAP_DECLARE(int) util_ldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
282 const char *url, const char *basedn, int scope, char **attrs,
283 const char *filter, const char **binddn, const char ***retvals);
286 * Checks if SSL support is available in mod_ldap
287 * @deffunc int util_ldap_ssl_supported(request_rec *r)
289 LDAP_DECLARE(int) util_ldap_ssl_supported(request_rec *r);
291 /* from apr_ldap_cache.c */
294 * Init the LDAP cache
295 * @param pool The pool to use to initialise the cache
296 * @param reqsize The size of the shared memory segement to request. A size
297 * of zero requests the max size possible from
299 * @deffunc void util_ldap_cache_init(apr_pool_t *p, util_ldap_state_t *st)
300 * @return The status code returned is the status code of the
301 * apr_smmem_init() call. Regardless of the status, the cache
302 * will be set up at least for in-process or in-thread operation.
304 apr_status_t util_ldap_cache_init(apr_pool_t *pool, util_ldap_state_t *st);
306 /* from apr_ldap_cache_mgr.c */
309 * Display formatted stats for cache
310 * @param The pool to allocate the returned string from
311 * @tip This function returns a string allocated from the provided pool that describes
312 * various stats about the cache.
313 * @deffunc char *util_ald_cache_display(apr_pool_t *pool, util_ldap_state_t *st)
315 char *util_ald_cache_display(request_rec *r, util_ldap_state_t *st);
317 #endif /* APU_HAS_LDAP */
318 #endif /* UTIL_LDAP_H */