src/modules/extra/m_ldapoper.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009 Robin Burchell <robin+git@viroteck.net>
   5  *   Copyright (C) 2008 Pippijn van Steenhoven <pip88nl@gmail.com>
   6  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   7  *   Copyright (C) 2007 Carsten Valdemar Munk <carsten.munk+inspircd@gmail.com>
   8  *
   9  * This file is part of InspIRCd.  InspIRCd is free software: you can
  10  * redistribute it and/or modify it under the terms of the GNU General Public
  11  * License as published by the Free Software Foundation, version 2.
  12  *
  13  * This program is distributed in the hope that it will be useful, but WITHOUT
  14  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  15  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  16  * details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20  */
  21
  22
  23 #include "inspircd.h"
  24 #include "users.h"
  25 #include "channels.h"
  26 #include "modules.h"
  27
  28 #include <ldap.h>
  29
  30 #ifdef _WIN32
  31 # pragma comment(lib, "ldap.lib")
  32 # pragma comment(lib, "lber.lib")
  33 #endif
  34
  35 /* $LinkerFlags: -lldap */
  36
  37 struct RAIILDAPString
  38 {
  39         char *str;
  40
  41         RAIILDAPString(char *Str)
  42                 : str(Str)
  43         {
  44         }
  45
  46         ~RAIILDAPString()
  47         {
  48                 ldap_memfree(str);
  49         }
  50
  51         operator char*()
  52         {
  53                 return str;
  54         }
  55
  56         operator std::string()
  57         {
  58                 return str;
  59         }
  60 };
  61
  62 class ModuleLDAPAuth : public Module
  63 {
  64         std::string base;
  65         std::string ldapserver;
  66         std::string username;
  67         std::string password;
  68         std::string attribute;
  69         int searchscope;
  70         LDAP *conn;
  71
  72         bool HandleOper(LocalUser* user, const std::string& opername, const std::string& inputpass)
  73         {
  74                 OperIndex::iterator it = ServerInstance->Config->oper_blocks.find(opername);
  75                 if (it == ServerInstance->Config->oper_blocks.end())
  76                         return false;
  77
  78                 ConfigTag* tag = it->second->oper_block;
  79                 if (!tag)
  80                         return false;
  81
  82                 std::string acceptedhosts = tag->getString("host");
  83                 std::string hostname = user->ident + "@" + user->host;
  84                 if (!InspIRCd::MatchMask(acceptedhosts, hostname, user->GetIPString()))
  85                         return false;
  86
  87                 if (!LookupOper(opername, inputpass))
  88                         return false;
  89
  90                 user->Oper(it->second);
  91                 return true;
  92         }
  93
  94 public:
  95         ModuleLDAPAuth()
  96                 : conn(NULL)
  97         {
  98         }
  99
 100         ~ModuleLDAPAuth()
 101         {
 102                 if (conn)
 103                         ldap_unbind_ext(conn, NULL, NULL);
 104         }
 105
 106         void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
 107         {
 108                 ConfigTag* tag = ServerInstance->Config->ConfValue("ldapoper");
 109
 110                 base                    = tag->getString("baserdn");
 111                 ldapserver              = tag->getString("server");
 112                 std::string scope       = tag->getString("searchscope");
 113                 username                = tag->getString("binddn");
 114                 password                = tag->getString("bindauth");
 115                 attribute               = tag->getString("attribute");
 116
 117                 if (scope == "base")
 118                         searchscope = LDAP_SCOPE_BASE;
 119                 else if (scope == "onelevel")
 120                         searchscope = LDAP_SCOPE_ONELEVEL;
 121                 else searchscope = LDAP_SCOPE_SUBTREE;
 122
 123                 Connect();
 124         }
 125
 126         bool Connect()
 127         {
 128                 if (conn != NULL)
 129                         ldap_unbind_ext(conn, NULL, NULL);
 130                 int res, v = LDAP_VERSION3;
 131                 res = ldap_initialize(&conn, ldapserver.c_str());
 132                 if (res != LDAP_SUCCESS)
 133                 {
 134                         conn = NULL;
 135                         return false;
 136                 }
 137
 138                 res = ldap_set_option(conn, LDAP_OPT_PROTOCOL_VERSION, (void *)&v);
 139                 if (res != LDAP_SUCCESS)
 140                 {
 141                         ldap_unbind_ext(conn, NULL, NULL);
 142                         conn = NULL;
 143                         return false;
 144                 }
 145                 return true;
 146         }
 147
 148         ModResult OnPreCommand(std::string& command, std::vector<std::string>& parameters, LocalUser* user, bool validated, const std::string& original_line) CXX11_OVERRIDE
 149         {
 150                 if (validated && command == "OPER" && parameters.size() >= 2)
 151                 {
 152                         if (HandleOper(user, parameters[0], parameters[1]))
 153                                 return MOD_RES_DENY;
 154                 }
 155                 return MOD_RES_PASSTHRU;
 156         }
 157
 158         bool LookupOper(const std::string& opername, const std::string& opassword)
 159         {
 160                 if (conn == NULL)
 161                         if (!Connect())
 162                                 return false;
 163
 164                 int res;
 165                 char* authpass = strdup(password.c_str());
 166                 // bind anonymously if no bind DN and authentication are given in the config
 167                 struct berval cred;
 168                 cred.bv_val = authpass;
 169                 cred.bv_len = password.length();
 170
 171                 if ((res = ldap_sasl_bind_s(conn, username.c_str(), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS)
 172                 {
 173                         if (res == LDAP_SERVER_DOWN)
 174                         {
 175                                 // Attempt to reconnect if the connection dropped
 176                                 ServerInstance->SNO->WriteToSnoMask('a', "LDAP server has gone away - reconnecting...");
 177                                 Connect();
 178                                 res = ldap_sasl_bind_s(conn, username.c_str(), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 179                         }
 180
 181                         if (res != LDAP_SUCCESS)
 182                         {
 183                                 free(authpass);
 184                                 ldap_unbind_ext(conn, NULL, NULL);
 185                                 conn = NULL;
 186                                 return false;
 187                         }
 188                 }
 189                 free(authpass);
 190
 191                 LDAPMessage *msg, *entry;
 192                 std::string what = attribute + "=" + opername;
 193                 if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS)
 194                 {
 195                         return false;
 196                 }
 197                 if (ldap_count_entries(conn, msg) > 1)
 198                 {
 199                         ldap_msgfree(msg);
 200                         return false;
 201                 }
 202                 if ((entry = ldap_first_entry(conn, msg)) == NULL)
 203                 {
 204                         ldap_msgfree(msg);
 205                         return false;
 206                 }
 207                 authpass = strdup(opassword.c_str());
 208                 cred.bv_val = authpass;
 209                 cred.bv_len = opassword.length();
 210                 RAIILDAPString DN(ldap_get_dn(conn, entry));
 211                 if ((res = ldap_sasl_bind_s(conn, DN, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) == LDAP_SUCCESS)
 212                 {
 213                         free(authpass);
 214                         ldap_msgfree(msg);
 215                         return true;
 216                 }
 217                 else
 218                 {
 219                         free(authpass);
 220                         ldap_msgfree(msg);
 221                         return false;
 222                 }
 223         }
 224
 225         Version GetVersion() CXX11_OVERRIDE
 226         {
 227                 return Version("Adds the ability to authenticate opers via LDAP", VF_VENDOR);
 228         }
 229
 230 };
 231
 232 MODULE_INIT(ModuleLDAPAuth)