diff -crB auth-ldap-2.0.3/auth-ldap.conf auth-ldap-2.0.3-patched/auth-ldap.conf *** auth-ldap-2.0.3/auth-ldap.conf 2007-01-22 12:50:42.000000000 -0600 --- auth-ldap-2.0.3-patched/auth-ldap.conf 2010-06-29 10:58:40.916276380 -0500 *************** *** 47,52 **** --- 47,55 ---- #PFTable ips_vpn_users + # Match full user DN if true, uid only if false + RFC2307bis true + BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember diff -crB auth-ldap-2.0.3/src/LFAuthLDAPConfig.m auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m *** auth-ldap-2.0.3/src/LFAuthLDAPConfig.m 2007-01-22 12:50:42.000000000 -0600 --- auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m 2010-06-29 10:58:40.916276380 -0500 *************** *** 79,84 **** --- 79,85 ---- /* Group Section Variables */ LF_GROUP_MEMBER_ATTRIBUTE, /* Group Membership Attribute */ + LF_GROUP_MEMBER_RFC2307BIS, /* Look for full DN for user in attribute */ /* Misc Shared */ LF_UNKNOWN_OPCODE, /* Unknown Opcode */ *************** *** 146,151 **** --- 147,153 ---- static OpcodeTable GroupSectionVariables[] = { /* name opcode multi required */ { "MemberAttribute", LF_GROUP_MEMBER_ATTRIBUTE, NO, NO }, + { "RFC2307bis", LF_GROUP_MEMBER_RFC2307BIS, NO, NO }, { NULL, 0 } }; *************** *** 696,707 **** --- 698,719 ---- switch(opcodeEntry->opcode) { TRLDAPGroupConfig *config; + BOOL memberRFC2307BIS; case LF_GROUP_MEMBER_ATTRIBUTE: config = [self currentSectionContext]; [config setMemberAttribute: [value string]]; break; + case LF_GROUP_MEMBER_RFC2307BIS: + config = [self currentSectionContext]; + if (![value boolValue: &memberRFC2307BIS]) { + [self errorBoolValue: value]; + return; + } + [config setMemberRFC2307BIS: memberRFC2307BIS]; + break; + case LF_LDAP_BASEDN: config = [self currentSectionContext]; [config setBaseDN: [value string]]; diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.h auth-ldap-2.0.3-patched/src/LFLDAPConnection.h *** auth-ldap-2.0.3/src/LFLDAPConnection.h 2007-01-22 12:50:42.000000000 -0600 --- auth-ldap-2.0.3-patched/src/LFLDAPConnection.h 2010-06-29 10:58:40.920285882 -0500 *************** *** 56,61 **** --- 56,62 ---- baseDN: (LFString *) base attributes: (TRArray *) attributes; - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; + - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; - (BOOL) setReferralEnabled: (BOOL) enabled; - (BOOL) setTLSCACertFile: (LFString *) fileName; diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.m auth-ldap-2.0.3-patched/src/LFLDAPConnection.m *** auth-ldap-2.0.3/src/LFLDAPConnection.m 2007-03-22 15:09:51.000000000 -0500 --- auth-ldap-2.0.3-patched/src/LFLDAPConnection.m 2010-06-29 10:58:40.920285882 -0500 *************** *** 405,410 **** --- 405,454 ---- return NO; } + - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value { + struct timeval timeout; + LDAPMessage *res; + struct berval bval; + int err; + int msgid; + + /* Set up the ber structure for our value */ + bval.bv_val = (char *) [value cString]; + bval.bv_len = [value length] - 1; /* Length includes NULL terminator */ + + /* Set up the timeout */ + timeout.tv_sec = _timeout; + timeout.tv_usec = 0; + + /* Perform the compare */ + if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) { + [TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)]; + return NO; + } + + /* Wait for the result */ + if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) { + err = ldap_get_errno(ldapConn); + if (err == LDAP_TIMEOUT) + ldap_abandon_ext(ldapConn, msgid, NULL, NULL); + + [TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)]; + return NO; + } + + /* Check the result */ + if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) { + /* Parsing failed */ + return NO; + } + if (err == LDAP_COMPARE_TRUE) + return YES; + else + return NO; + + return NO; + } + - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn { int err; diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.h auth-ldap-2.0.3-patched/src/TRLDAPEntry.h *** auth-ldap-2.0.3/src/TRLDAPEntry.h 2006-07-25 18:55:47.000000000 -0500 --- auth-ldap-2.0.3-patched/src/TRLDAPEntry.h 2010-06-29 10:58:40.920285882 -0500 *************** *** 40,50 **** --- 40,53 ---- @interface TRLDAPEntry : TRObject { LFString *_dn; + LFString *_rdn; TRHash *_attributes; } - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes; - (LFString *) dn; + - (LFString *) rdn; + - (void) setRDN: (LFString *) rdn; - (TRHash *) attributes; @end diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.m auth-ldap-2.0.3-patched/src/TRLDAPEntry.m *** auth-ldap-2.0.3/src/TRLDAPEntry.m 2006-07-25 18:55:47.000000000 -0500 --- auth-ldap-2.0.3-patched/src/TRLDAPEntry.m 2010-06-29 10:58:40.920285882 -0500 *************** *** 42,47 **** --- 42,48 ---- return self; _dn = [dn retain]; + _rdn = nil; _attributes = [attributes retain]; return self; *************** *** 49,54 **** --- 50,56 ---- - (void) dealloc { [_dn release]; + [_rdn release]; [_attributes release]; [super dealloc]; } *************** *** 57,62 **** --- 59,72 ---- return _dn; } + - (LFString *) rdn { + return _rdn; + } + + - (void) setRDN: (LFString *) rdn { + _rdn=rdn; + } + - (TRHash *) attributes { return _attributes; } diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.h auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h *** auth-ldap-2.0.3/src/TRLDAPGroupConfig.h 2006-07-30 15:19:54.000000000 -0500 --- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h 2010-06-29 10:58:40.920285882 -0500 *************** *** 42,47 **** --- 42,48 ---- LFString *_baseDN; LFString *_searchFilter; LFString *_memberAttribute; + BOOL _memberRFC2307BIS; LFString *_pfTable; } *************** *** 54,59 **** --- 55,63 ---- - (LFString *) memberAttribute; - (void) setMemberAttribute: (LFString *) memberAttribute; + - (BOOL) memberRFC2307BIS; + - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS; + - (LFString *) pfTable; - (void) setPFTable: (LFString *) tableName; diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.m auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m *** auth-ldap-2.0.3/src/TRLDAPGroupConfig.m 2006-07-30 15:19:54.000000000 -0500 --- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m 2010-06-29 10:58:40.920285882 -0500 *************** *** 81,86 **** --- 81,94 ---- _memberAttribute = [memberAttribute retain]; } + - (BOOL) memberRFC2307BIS { + return (_memberRFC2307BIS); + } + + - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS { + _memberRFC2307BIS = memberRFC2307BIS; + } + - (void) setPFTable: (LFString *) tableName { if (_pfTable) [_pfTable release]; diff -crB auth-ldap-2.0.3/src/auth-ldap.m auth-ldap-2.0.3-patched/src/auth-ldap.m *** auth-ldap-2.0.3/src/auth-ldap.m 2007-01-22 12:50:42.000000000 -0600 --- auth-ldap-2.0.3-patched/src/auth-ldap.m 2010-06-29 11:02:14.680387830 -0500 *************** *** 307,320 **** goto error; } - /* Bind if requested */ - if ([config bindDN]) { - if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { - [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; - goto error; - } - } - /* Certificate file */ if ((value = [config tlsCACertFile])) if (![ldap setTLSCACertFile: value]) --- 307,312 ---- *************** *** 340,345 **** --- 332,345 ---- if (![ldap startTLS]) goto error; + /* Bind if requested */ + if ([config bindDN]) { + if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { + [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; + goto error; + } + } + return ldap; error: *************** *** 409,414 **** --- 409,415 ---- TREnumerator *entryIter; TRLDAPEntry *entry; TRLDAPGroupConfig *result = nil; + int userNameLength; /* * Groups are loaded into the array in the order that they are listed *************** *** 426,440 **** /* Error occured, all stop */ if (!ldapEntries) break; ! ! /* Iterate over the returned entries */ ! entryIter = [ldapEntries objectEnumerator]; ! while ((entry = [entryIter nextObject]) != nil) { ! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { ! /* Group match! */ ! result = groupConfig; } } [entryIter release]; [ldapEntries release]; if (result) --- 427,453 ---- /* Error occured, all stop */ if (!ldapEntries) break; ! if ([groupConfig memberRFC2307BIS]) { ! /* Iterate over the returned entries */ ! entryIter = [ldapEntries objectEnumerator]; ! ! while ((entry = [entryIter nextObject]) != nil) { ! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { ! /* Group match! */ ! result = groupConfig; ! } ! } ! } else { ! /* Iterate over the returned entries */ ! entryIter = [ldapEntries objectEnumerator]; ! while ((entry = [entryIter nextObject]) != nil) { ! if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) { ! /* Group match! */ ! result = groupConfig; ! } } } + [entryIter release]; [ldapEntries release]; if (result) *************** *** 551,556 **** --- 564,570 ---- int ret = OPENVPN_PLUGIN_FUNC_ERROR; username = get_env("username", envp); + LFString *userName=[[LFString alloc]initWithCString: username]; password = get_env("password", envp); remoteAddress = get_env("ifconfig_pool_remote_ip", envp); *************** *** 568,573 **** --- 582,588 ---- /* Find the user record */ ldapUser = find_ldap_user(ldap, ctx->config, username); + [ldapUser setRDN: userName]; if (!ldapUser) { /* No such user. */ [TRLog warning: "LDAP user \"%s\" was not found.", username];