+++ /dev/null
-// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
-// vim: ts=8 sw=2 smarttab
-
-#include "rgw_ldap.h"
-
-#include "common/ceph_context.h"
-#include "common/common_init.h"
-#include "common/dout.h"
-#include "common/safe_io.h"
-#include <boost/algorithm/string.hpp>
-
-#include "include/assert.h"
-
-#define dout_subsys ceph_subsys_rgw
-
-std::string parse_rgw_ldap_bindpw(CephContext* ctx)
-{
- string ldap_bindpw;
- string ldap_secret = ctx->_conf->rgw_ldap_secret;
-
- if (ldap_secret.empty()) {
- ldout(ctx, 10)
- << __func__ << " LDAP auth no rgw_ldap_secret file found in conf"
- << dendl;
- } else {
- char bindpw[1024];
- memset(bindpw, 0, 1024);
- int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
- bindpw, 1023);
- if (pwlen) {
- ldap_bindpw = bindpw;
- boost::algorithm::trim(ldap_bindpw);
- if (ldap_bindpw.back() == '\n')
- ldap_bindpw.pop_back();
- }
- }
-
- return ldap_bindpw;
-}
-
-#if defined(HAVE_OPENLDAP)
-namespace rgw {
-
- int LDAPHelper::auth(const std::string uid, const std::string pwd) {
- int ret;
- std::string filter;
- if (msad) {
- filter = "(&(objectClass=user)(sAMAccountName=";
- filter += uid;
- filter += "))";
- } else {
- /* openldap */
- if (searchfilter.empty()) {
- /* no search filter provided in config, we construct our own */
- filter = "(";
- filter += dnattr;
- filter += "=";
- filter += uid;
- filter += ")";
- } else {
- if (searchfilter.find("@USERNAME@") != std::string::npos) {
- /* we need to substitute the @USERNAME@ placeholder */
- filter = searchfilter;
- filter.replace(searchfilter.find("@USERNAME@"), std::string("@USERNAME@").length(), uid);
- } else {
- /* no placeholder for username, so we need to append our own username filter to the custom searchfilter */
- filter = "(&(";
- filter += searchfilter;
- filter += ")(";
- filter += dnattr;
- filter += "=";
- filter += uid;
- filter += "))";
- }
- }
- }
- ldout(g_ceph_context, 12)
- << __func__ << " search filter: " << filter
- << dendl;
- char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
- LDAPMessage *answer = nullptr, *entry = nullptr;
- bool once = true;
-
- lock_guard guard(mtx);
-
- retry_bind:
- ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
- filter.c_str(), attrs, 0, &answer);
- if (ret == LDAP_SUCCESS) {
- entry = ldap_first_entry(ldap, answer);
- if (entry) {
- char *dn = ldap_get_dn(ldap, entry);
- ret = simple_bind(dn, pwd);
- if (ret != LDAP_SUCCESS) {
- ldout(g_ceph_context, 10)
- << __func__ << " simple_bind failed uid=" << uid
- << "ldap err=" << ret
- << dendl;
- }
- ldap_memfree(dn);
- } else {
- ldout(g_ceph_context, 12)
- << __func__ << " ldap_search_s no user matching uid=" << uid
- << dendl;
- ret = LDAP_NO_SUCH_ATTRIBUTE; // fixup result
- }
- ldap_msgfree(answer);
- } else {
- ldout(g_ceph_context, 5)
- << __func__ << " ldap_search_s error uid=" << uid
- << " ldap err=" << ret
- << dendl;
- /* search should never fail--try to rebind */
- if (once) {
- rebind();
- once = false;
- goto retry_bind;
- }
- }
- return (ret == LDAP_SUCCESS) ? ret : -EACCES;
- } /* LDAPHelper::auth */
-}
-
-#endif /* defined(HAVE_OPENLDAP) */