src/modules/extra/m_ldapauth.cpp

   1 /*       +------------------------------------+
   2  *       | Inspire Internet Relay Chat Daemon |
   3  *       +------------------------------------+
   4  *
   5  *  InspIRCd: (C) 2002-2008 InspIRCd Development Team
   6  * See: http://www.inspircd.org/wiki/index.php/Credits
   7  *
   8  * This program is free but copyrighted software; see
   9  *            the file COPYING for details.
  10  *
  11  * ---------------------------------------------------
  12  *
  13  * Taken from the UnrealIRCd 4.0 SVN version, based on
  14  * InspIRCd 1.1.x.
  15  *
  16  * UnrealIRCd 4.0 (C) 2007 Carsten Valdemar Munk
  17  * This program is free but copyrighted software; see
  18  *          the file COPYING for details.
  19  *
  20  * ---------------------------------------------------
  21  * Heavily based on SQLauth
  22  */
  23
  24 #include "inspircd.h"
  25 #include "users.h"
  26 #include "channels.h"
  27 #include "modules.h"
  28
  29 /* FIXME */
  30 #define LDAP_DEPRECATED 1
  31 #include <ldap.h>
  32
  33 /* $ModDesc: Allow/Deny connections based upon answer from LDAP server */
  34 /* $LinkerFlags: -lldap */
  35
  36 class ModuleLDAPAuth : public Module
  37 {
  38         std::string base;
  39         std::string attribute;
  40         std::string ldapserver;
  41         std::string allowpattern;
  42         std::string killreason;
  43         int searchscope;
  44         bool verbose;
  45         LDAP *conn;
  46
  47 public:
  48         ModuleLDAPAuth(InspIRCd* Me)
  49         : Module::Module(Me)
  50         {
  51                 conn = NULL;
  52                 Implementation eventlist[] = { I_OnUserDisconnect, I_OnCheckReady, I_OnRehash, I_OnUserRegister };
  53                 ServerInstance->Modules->Attach(eventlist, this, 4);
  54                 OnRehash(NULL,"");
  55         }
  56
  57         virtual ~ModuleLDAPAuth()
  58         {
  59                 if (conn)
  60                         ldap_unbind_s(conn);
  61         }
  62
  63         virtual void OnRehash(User* user, const std::string &parameter)
  64         {
  65                 ConfigReader Conf(ServerInstance);
  66
  67                 base            = Conf.ReadValue("ldapauth", "baserdn", 0);
  68                 attribute       = Conf.ReadValue("ldapauth", "attribute", 0);
  69                 ldapserver      = Conf.ReadValue("ldapauth", "server", 0);
  70                 allowpattern    = Conf.ReadValue("ldapauth", "allowpattern", 0);
  71                 killreason      = Conf.ReadValue("ldapauth", "killreason", 0);
  72                 std::string scope       = Conf.ReadValue("ldapauth", "searchscope", 0);
  73                 verbose         = Conf.ReadFlag("ldapauth", "verbose", 0);              /* Set to true if failed connects should be reported to operators */
  74
  75                 if (scope == "base")
  76                         searchscope = LDAP_SCOPE_BASE;
  77                 else if (scope == "onelevel")
  78                         searchscope = LDAP_SCOPE_ONELEVEL;
  79                 else searchscope = LDAP_SCOPE_SUBTREE;
  80
  81                 Connect();
  82         }
  83
  84         bool Connect()
  85         {
  86                 if (conn != NULL)
  87                         ldap_unbind_s(conn);
  88                 int res, v = LDAP_VERSION3;
  89                 res = ldap_initialize(&conn, ldapserver.c_str());
  90                 if (res != LDAP_SUCCESS)
  91                 {
  92                         if (verbose)
  93                                 ServerInstance->SNO->WriteToSnoMask('A', "LDAP connection failed: %s", ldap_err2string(res));
  94                         conn = NULL;
  95                         return false;
  96                 }
  97
  98                 res = ldap_set_option(conn, LDAP_OPT_PROTOCOL_VERSION, (void *)&v);
  99                 if (res != LDAP_SUCCESS)
 100                 {
 101                         if (verbose)
 102                                 ServerInstance->SNO->WriteToSnoMask('A', "LDAP set protocol to v3 failed: %s", ldap_err2string(res));
 103                         ldap_unbind_s(conn);
 104                         conn = NULL;
 105                         return false;
 106                 }
 107                 return true;
 108         }
 109
 110         virtual int OnUserRegister(User* user)
 111         {
 112                 if ((!allowpattern.empty()) && (ServerInstance->MatchText(user->nick,allowpattern)))
 113                 {
 114                         user->Extend("ldapauthed");
 115                         return 0;
 116                 }
 117
 118                 if (!CheckCredentials(user))
 119                 {
 120                         User::QuitUser(ServerInstance,user,killreason);
 121                         return 1;
 122                 }
 123                 return 0;
 124         }
 125
 126         bool CheckCredentials(User* user)
 127         {
 128                 if (conn == NULL)
 129                         if (!Connect())
 130                                 return false;
 131
 132                 int res;
 133                 // bind anonymously
 134                 if ((res = ldap_simple_bind_s(conn, "", "")) != LDAP_SUCCESS)
 135                 {
 136                         if (verbose)
 137                                 ServerInstance->SNO->WriteToSnoMask('A', "Forbidden connection from %s!%s@%s (LDAP bind anonymously failed: %s)", user->nick, user->ident, user->host, ldap_err2string(res));
 138                         ldap_unbind_s(conn);
 139                         conn = NULL;
 140                         return false;
 141                 }
 142                 LDAPMessage *msg, *entry;
 143                 std::string what = (attribute + "=" + user->nick);
 144                 if ((res = ldap_search_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, &msg)) != LDAP_SUCCESS)
 145                 {
 146                         if (verbose)
 147                                 ServerInstance->SNO->WriteToSnoMask('A', "Forbidden connection from %s!%s@%s (LDAP search failed: %s)", user->nick, user->ident, user->host, ldap_err2string(res));
 148                         return false;
 149                 }
 150                 if (ldap_count_entries(conn, msg) > 1)
 151                 {
 152                         if (verbose)
 153                                 ServerInstance->SNO->WriteToSnoMask('A', "Forbidden connection from %s!%s@%s (LDAP search returned more than one result: %s)", user->nick, user->ident, user->host, ldap_err2string(res));
 154                         ldap_msgfree(msg);
 155                         return false;
 156                 }
 157                 if ((entry = ldap_first_entry(conn, msg)) == NULL)
 158                 {
 159                         if (verbose)
 160                                 ServerInstance->SNO->WriteToSnoMask('A', "Forbidden connection from %s!%s@%s (LDAP search returned no results: %s)", user->nick, user->ident, user->host, ldap_err2string(res));
 161                         ldap_msgfree(msg);
 162                         return false;
 163                 }
 164                 if ((res = ldap_simple_bind_s(conn, ldap_get_dn(conn, entry), user->password)) == LDAP_SUCCESS)
 165                 {
 166                         ldap_msgfree(msg);
 167                         user->Extend("ldapauthed");
 168                         return true;
 169                 }
 170                 else
 171                 {
 172                         if (verbose)
 173                                 ServerInstance->SNO->WriteToSnoMask('A', "Forbidden connection from %s!%s@%s (%s)", user->nick, user->ident, user->host, ldap_err2string(res));
 174                         ldap_msgfree(msg);
 175                         user->Extend("ldapauth_failed");
 176                         return false;
 177                 }
 178         }
 179
 180
 181         virtual void OnUserDisconnect(User* user)
 182         {
 183                 user->Shrink("ldapauthed");
 184                 user->Shrink("ldapauth_failed");
 185         }
 186
 187         virtual bool OnCheckReady(User* user)
 188         {
 189                 return user->GetExt("ldapauthed");
 190         }
 191
 192         virtual Version GetVersion()
 193         {
 194                 return Version(1,2,0,0,VF_VENDOR,API_VERSION);
 195         }
 196
 197 };
 198
 199 MODULE_INIT(ModuleLDAPAuth)
 200