diff options
Diffstat (limited to 'network/openvpn-auth-ldap/auth-ldap.patch')
| -rw-r--r-- | network/openvpn-auth-ldap/auth-ldap.patch | 349 |
1 files changed, 349 insertions, 0 deletions
diff --git a/network/openvpn-auth-ldap/auth-ldap.patch b/network/openvpn-auth-ldap/auth-ldap.patch new file mode 100644 index 0000000000..e1cb9e055a --- /dev/null +++ b/network/openvpn-auth-ldap/auth-ldap.patch @@ -0,0 +1,349 @@ +diff -crB auth-ldap-2.0.3/auth-ldap.conf auth-ldap-2.0.3-patched/auth-ldap.conf +*** auth-ldap-2.0.3/auth-ldap.conf 2007-01-22 12:50:42.000000000 -0600 +--- auth-ldap-2.0.3-patched/auth-ldap.conf 2010-06-29 10:58:40.916276380 -0500 +*************** +*** 47,52 **** +--- 47,55 ---- + #PFTable ips_vpn_users + + <Group> ++ # Match full user DN if true, uid only if false ++ RFC2307bis true ++ + BaseDN "ou=Groups,dc=example,dc=com" + SearchFilter "(|(cn=developers)(cn=artists))" + MemberAttribute uniqueMember +diff -crB auth-ldap-2.0.3/src/LFAuthLDAPConfig.m auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m +*** auth-ldap-2.0.3/src/LFAuthLDAPConfig.m 2007-01-22 12:50:42.000000000 -0600 +--- auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m 2010-06-29 10:58:40.916276380 -0500 +*************** +*** 79,84 **** +--- 79,85 ---- + + /* Group Section Variables */ + LF_GROUP_MEMBER_ATTRIBUTE, /* Group Membership Attribute */ ++ LF_GROUP_MEMBER_RFC2307BIS, /* Look for full DN for user in attribute */ + + /* Misc Shared */ + LF_UNKNOWN_OPCODE, /* Unknown Opcode */ +*************** +*** 146,151 **** +--- 147,153 ---- + static OpcodeTable GroupSectionVariables[] = { + /* name opcode multi required */ + { "MemberAttribute", LF_GROUP_MEMBER_ATTRIBUTE, NO, NO }, ++ { "RFC2307bis", LF_GROUP_MEMBER_RFC2307BIS, NO, NO }, + { NULL, 0 } + }; + +*************** +*** 696,707 **** +--- 698,719 ---- + + switch(opcodeEntry->opcode) { + TRLDAPGroupConfig *config; ++ BOOL memberRFC2307BIS; + + case LF_GROUP_MEMBER_ATTRIBUTE: + config = [self currentSectionContext]; + [config setMemberAttribute: [value string]]; + break; + ++ case LF_GROUP_MEMBER_RFC2307BIS: ++ config = [self currentSectionContext]; ++ if (![value boolValue: &memberRFC2307BIS]) { ++ [self errorBoolValue: value]; ++ return; ++ } ++ [config setMemberRFC2307BIS: memberRFC2307BIS]; ++ break; ++ + case LF_LDAP_BASEDN: + config = [self currentSectionContext]; + [config setBaseDN: [value string]]; +diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.h auth-ldap-2.0.3-patched/src/LFLDAPConnection.h +*** auth-ldap-2.0.3/src/LFLDAPConnection.h 2007-01-22 12:50:42.000000000 -0600 +--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.h 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 56,61 **** +--- 56,62 ---- + baseDN: (LFString *) base + attributes: (TRArray *) attributes; + - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; ++ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; + + - (BOOL) setReferralEnabled: (BOOL) enabled; + - (BOOL) setTLSCACertFile: (LFString *) fileName; +diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.m auth-ldap-2.0.3-patched/src/LFLDAPConnection.m +*** auth-ldap-2.0.3/src/LFLDAPConnection.m 2007-03-22 15:09:51.000000000 -0500 +--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.m 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 405,410 **** +--- 405,454 ---- + return NO; + } + ++ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value { ++ struct timeval timeout; ++ LDAPMessage *res; ++ struct berval bval; ++ int err; ++ int msgid; ++ ++ /* Set up the ber structure for our value */ ++ bval.bv_val = (char *) [value cString]; ++ bval.bv_len = [value length] - 1; /* Length includes NULL terminator */ ++ ++ /* Set up the timeout */ ++ timeout.tv_sec = _timeout; ++ timeout.tv_usec = 0; ++ ++ /* Perform the compare */ ++ if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) { ++ [TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)]; ++ return NO; ++ } ++ ++ /* Wait for the result */ ++ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) { ++ err = ldap_get_errno(ldapConn); ++ if (err == LDAP_TIMEOUT) ++ ldap_abandon_ext(ldapConn, msgid, NULL, NULL); ++ ++ [TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)]; ++ return NO; ++ } ++ ++ /* Check the result */ ++ if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) { ++ /* Parsing failed */ ++ return NO; ++ } ++ if (err == LDAP_COMPARE_TRUE) ++ return YES; ++ else ++ return NO; ++ ++ return NO; ++ } ++ + + - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn { + int err; +diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.h auth-ldap-2.0.3-patched/src/TRLDAPEntry.h +*** auth-ldap-2.0.3/src/TRLDAPEntry.h 2006-07-25 18:55:47.000000000 -0500 +--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.h 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 40,50 **** +--- 40,53 ---- + + @interface TRLDAPEntry : TRObject { + LFString *_dn; ++ LFString *_rdn; + TRHash *_attributes; + } + + - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes; + - (LFString *) dn; ++ - (LFString *) rdn; ++ - (void) setRDN: (LFString *) rdn; + - (TRHash *) attributes; + + @end +diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.m auth-ldap-2.0.3-patched/src/TRLDAPEntry.m +*** auth-ldap-2.0.3/src/TRLDAPEntry.m 2006-07-25 18:55:47.000000000 -0500 +--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.m 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 42,47 **** +--- 42,48 ---- + return self; + + _dn = [dn retain]; ++ _rdn = nil; + _attributes = [attributes retain]; + + return self; +*************** +*** 49,54 **** +--- 50,56 ---- + + - (void) dealloc { + [_dn release]; ++ [_rdn release]; + [_attributes release]; + [super dealloc]; + } +*************** +*** 57,62 **** +--- 59,72 ---- + return _dn; + } + ++ - (LFString *) rdn { ++ return _rdn; ++ } ++ ++ - (void) setRDN: (LFString *) rdn { ++ _rdn=rdn; ++ } ++ + - (TRHash *) attributes { + return _attributes; + } +diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.h auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h +*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.h 2006-07-30 15:19:54.000000000 -0500 +--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 42,47 **** +--- 42,48 ---- + LFString *_baseDN; + LFString *_searchFilter; + LFString *_memberAttribute; ++ BOOL _memberRFC2307BIS; + LFString *_pfTable; + } + +*************** +*** 54,59 **** +--- 55,63 ---- + - (LFString *) memberAttribute; + - (void) setMemberAttribute: (LFString *) memberAttribute; + ++ - (BOOL) memberRFC2307BIS; ++ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS; ++ + - (LFString *) pfTable; + - (void) setPFTable: (LFString *) tableName; + +diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.m auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m +*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.m 2006-07-30 15:19:54.000000000 -0500 +--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m 2010-06-29 10:58:40.920285882 -0500 +*************** +*** 81,86 **** +--- 81,94 ---- + _memberAttribute = [memberAttribute retain]; + } + ++ - (BOOL) memberRFC2307BIS { ++ return (_memberRFC2307BIS); ++ } ++ ++ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS { ++ _memberRFC2307BIS = memberRFC2307BIS; ++ } ++ + - (void) setPFTable: (LFString *) tableName { + if (_pfTable) + [_pfTable release]; +diff -crB auth-ldap-2.0.3/src/auth-ldap.m auth-ldap-2.0.3-patched/src/auth-ldap.m +*** auth-ldap-2.0.3/src/auth-ldap.m 2007-01-22 12:50:42.000000000 -0600 +--- auth-ldap-2.0.3-patched/src/auth-ldap.m 2010-06-29 11:02:14.680387830 -0500 +*************** +*** 307,320 **** + goto error; + } + +- /* Bind if requested */ +- if ([config bindDN]) { +- if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { +- [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; +- goto error; +- } +- } +- + /* Certificate file */ + if ((value = [config tlsCACertFile])) + if (![ldap setTLSCACertFile: value]) +--- 307,312 ---- +*************** +*** 340,345 **** +--- 332,345 ---- + if (![ldap startTLS]) + goto error; + ++ /* Bind if requested */ ++ if ([config bindDN]) { ++ if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { ++ [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; ++ goto error; ++ } ++ } ++ + return ldap; + + error: +*************** +*** 409,414 **** +--- 409,415 ---- + TREnumerator *entryIter; + TRLDAPEntry *entry; + TRLDAPGroupConfig *result = nil; ++ int userNameLength; + + /* + * Groups are loaded into the array in the order that they are listed +*************** +*** 426,440 **** + /* Error occured, all stop */ + if (!ldapEntries) + break; +! +! /* Iterate over the returned entries */ +! entryIter = [ldapEntries objectEnumerator]; +! while ((entry = [entryIter nextObject]) != nil) { +! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { +! /* Group match! */ +! result = groupConfig; + } + } + [entryIter release]; + [ldapEntries release]; + if (result) +--- 427,453 ---- + /* Error occured, all stop */ + if (!ldapEntries) + break; +! if ([groupConfig memberRFC2307BIS]) { +! /* Iterate over the returned entries */ +! entryIter = [ldapEntries objectEnumerator]; +! +! while ((entry = [entryIter nextObject]) != nil) { +! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { +! /* Group match! */ +! result = groupConfig; +! } +! } +! } else { +! /* Iterate over the returned entries */ +! entryIter = [ldapEntries objectEnumerator]; +! while ((entry = [entryIter nextObject]) != nil) { +! if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) { +! /* Group match! */ +! result = groupConfig; +! } + } + } ++ + [entryIter release]; + [ldapEntries release]; + if (result) +*************** +*** 551,556 **** +--- 564,570 ---- + int ret = OPENVPN_PLUGIN_FUNC_ERROR; + + username = get_env("username", envp); ++ LFString *userName=[[LFString alloc]initWithCString: username]; + password = get_env("password", envp); + remoteAddress = get_env("ifconfig_pool_remote_ip", envp); + +*************** +*** 568,573 **** +--- 582,588 ---- + + /* Find the user record */ + ldapUser = find_ldap_user(ldap, ctx->config, username); ++ [ldapUser setRDN: userName]; + if (!ldapUser) { + /* No such user. */ + [TRLog warning: "LDAP user \"%s\" was not found.", username]; |