1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
6 #include "common/ceph_context.h"
7 #include "common/common_init.h"
8 #include "common/dout.h"
9 #include "common/safe_io.h"
10 #include <boost/algorithm/string.hpp>
12 #include "include/assert.h"
14 #define dout_subsys ceph_subsys_rgw
16 std::string parse_rgw_ldap_bindpw(CephContext* ctx)
19 string ldap_secret = ctx->_conf->rgw_ldap_secret;
21 if (ldap_secret.empty()) {
23 << __func__ << " LDAP auth no rgw_ldap_secret file found in conf"
27 memset(bindpw, 0, 1024);
28 int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
32 boost::algorithm::trim(ldap_bindpw);
33 if (ldap_bindpw.back() == '\n')
34 ldap_bindpw.pop_back();
41 #if defined(HAVE_OPENLDAP)
44 int LDAPHelper::auth(const std::string uid, const std::string pwd) {
48 filter = "(&(objectClass=user)(sAMAccountName=";
53 if (searchfilter.empty()) {
54 /* no search filter provided in config, we construct our own */
61 if (searchfilter.find("@USERNAME@") != std::string::npos) {
62 /* we need to substitute the @USERNAME@ placeholder */
63 filter = searchfilter;
64 filter.replace(searchfilter.find("@USERNAME@"), std::string("@USERNAME@").length(), uid);
66 /* no placeholder for username, so we need to append our own username filter to the custom searchfilter */
68 filter += searchfilter;
77 ldout(g_ceph_context, 12)
78 << __func__ << " search filter: " << filter
80 char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
81 LDAPMessage *answer = nullptr, *entry = nullptr;
84 lock_guard guard(mtx);
87 ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
88 filter.c_str(), attrs, 0, &answer);
89 if (ret == LDAP_SUCCESS) {
90 entry = ldap_first_entry(ldap, answer);
92 char *dn = ldap_get_dn(ldap, entry);
93 ret = simple_bind(dn, pwd);
94 if (ret != LDAP_SUCCESS) {
95 ldout(g_ceph_context, 10)
96 << __func__ << " simple_bind failed uid=" << uid
102 ldout(g_ceph_context, 12)
103 << __func__ << " ldap_search_s no user matching uid=" << uid
105 ret = LDAP_NO_SUCH_ATTRIBUTE; // fixup result
107 ldap_msgfree(answer);
109 ldout(g_ceph_context, 5)
110 << __func__ << " ldap_search_s error uid=" << uid
111 << " ldap err=" << ret
113 /* search should never fail--try to rebind */
120 return (ret == LDAP_SUCCESS) ? ret : -EACCES;
121 } /* LDAPHelper::auth */
124 #endif /* defined(HAVE_OPENLDAP) */