src/modules/extra/m_ldapoper.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009 Robin Burchell <robin+git@viroteck.net>
   5  *   Copyright (C) 2008 Pippijn van Steenhoven <pip88nl@gmail.com>
   6  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   7  *   Copyright (C) 2007 Carsten Valdemar Munk <carsten.munk+inspircd@gmail.com>
   8  *
   9  * This file is part of InspIRCd.  InspIRCd is free software: you can
  10  * redistribute it and/or modify it under the terms of the GNU General Public
  11  * License as published by the Free Software Foundation, version 2.
  12  *
  13  * This program is distributed in the hope that it will be useful, but WITHOUT
  14  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  15  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  16  * details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20  */
  21
  22
  23 #include "inspircd.h"
  24 #include "users.h"
  25 #include "channels.h"
  26 #include "modules.h"
  27
  28 #include <ldap.h>
  29
  30 #ifdef _WIN32
  31 # pragma comment(lib, "ldap.lib")
  32 # pragma comment(lib, "lber.lib")
  33 #endif
  34
  35 /* $LinkerFlags: -lldap */
  36
  37 struct RAIILDAPString
  38 {
  39         char *str;
  40
  41         RAIILDAPString(char *Str)
  42                 : str(Str)
  43         {
  44         }
  45
  46         ~RAIILDAPString()
  47         {
  48                 ldap_memfree(str);
  49         }
  50
  51         operator char*()
  52         {
  53                 return str;
  54         }
  55
  56         operator std::string()
  57         {
  58                 return str;
  59         }
  60 };
  61
  62 class ModuleLDAPAuth : public Module
  63 {
  64         std::string base;
  65         std::string ldapserver;
  66         std::string username;
  67         std::string password;
  68         std::string attribute;
  69         int searchscope;
  70         LDAP *conn;
  71
  72         bool HandleOper(LocalUser* user, const std::string& opername, const std::string& inputpass)
  73         {
  74                 OperIndex::iterator it = ServerInstance->Config->oper_blocks.find(opername);
  75                 if (it == ServerInstance->Config->oper_blocks.end())
  76                         return false;
  77
  78                 ConfigTag* tag = it->second->oper_block;
  79                 if (!tag)
  80                         return false;
  81
  82                 std::string acceptedhosts = tag->getString("host");
  83                 std::string hostname = user->ident + "@" + user->host;
  84                 if (!InspIRCd::MatchMask(acceptedhosts, hostname, user->GetIPString()))
  85                         return false;
  86
  87                 if (!LookupOper(opername, inputpass))
  88                         return false;
  89
  90                 user->Oper(it->second);
  91                 return true;
  92         }
  93
  94 public:
  95         ModuleLDAPAuth()
  96                 : conn(NULL)
  97         {
  98         }
  99
 100         void init() CXX11_OVERRIDE
 101         {
 102                 OnRehash(NULL);
 103         }
 104
 105         ~ModuleLDAPAuth()
 106         {
 107                 if (conn)
 108                         ldap_unbind_ext(conn, NULL, NULL);
 109         }
 110
 111         void OnRehash(User* user) CXX11_OVERRIDE
 112         {
 113                 ConfigTag* tag = ServerInstance->Config->ConfValue("ldapoper");
 114
 115                 base                    = tag->getString("baserdn");
 116                 ldapserver              = tag->getString("server");
 117                 std::string scope       = tag->getString("searchscope");
 118                 username                = tag->getString("binddn");
 119                 password                = tag->getString("bindauth");
 120                 attribute               = tag->getString("attribute");
 121
 122                 if (scope == "base")
 123                         searchscope = LDAP_SCOPE_BASE;
 124                 else if (scope == "onelevel")
 125                         searchscope = LDAP_SCOPE_ONELEVEL;
 126                 else searchscope = LDAP_SCOPE_SUBTREE;
 127
 128                 Connect();
 129         }
 130
 131         bool Connect()
 132         {
 133                 if (conn != NULL)
 134                         ldap_unbind_ext(conn, NULL, NULL);
 135                 int res, v = LDAP_VERSION3;
 136                 res = ldap_initialize(&conn, ldapserver.c_str());
 137                 if (res != LDAP_SUCCESS)
 138                 {
 139                         conn = NULL;
 140                         return false;
 141                 }
 142
 143                 res = ldap_set_option(conn, LDAP_OPT_PROTOCOL_VERSION, (void *)&v);
 144                 if (res != LDAP_SUCCESS)
 145                 {
 146                         ldap_unbind_ext(conn, NULL, NULL);
 147                         conn = NULL;
 148                         return false;
 149                 }
 150                 return true;
 151         }
 152
 153         ModResult OnPreCommand(std::string& command, std::vector<std::string>& parameters, LocalUser* user, bool validated, const std::string& original_line) CXX11_OVERRIDE
 154         {
 155                 if (validated && command == "OPER" && parameters.size() >= 2)
 156                 {
 157                         if (HandleOper(user, parameters[0], parameters[1]))
 158                                 return MOD_RES_DENY;
 159                 }
 160                 return MOD_RES_PASSTHRU;
 161         }
 162
 163         bool LookupOper(const std::string& opername, const std::string& opassword)
 164         {
 165                 if (conn == NULL)
 166                         if (!Connect())
 167                                 return false;
 168
 169                 int res;
 170                 char* authpass = strdup(password.c_str());
 171                 // bind anonymously if no bind DN and authentication are given in the config
 172                 struct berval cred;
 173                 cred.bv_val = authpass;
 174                 cred.bv_len = password.length();
 175
 176                 if ((res = ldap_sasl_bind_s(conn, username.c_str(), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS)
 177                 {
 178                         if (res == LDAP_SERVER_DOWN)
 179                         {
 180                                 // Attempt to reconnect if the connection dropped
 181                                 ServerInstance->SNO->WriteToSnoMask('a', "LDAP server has gone away - reconnecting...");
 182                                 Connect();
 183                                 res = ldap_sasl_bind_s(conn, username.c_str(), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
 184                         }
 185
 186                         if (res != LDAP_SUCCESS)
 187                         {
 188                                 free(authpass);
 189                                 ldap_unbind_ext(conn, NULL, NULL);
 190                                 conn = NULL;
 191                                 return false;
 192                         }
 193                 }
 194                 free(authpass);
 195
 196                 LDAPMessage *msg, *entry;
 197                 std::string what = attribute + "=" + opername;
 198                 if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS)
 199                 {
 200                         return false;
 201                 }
 202                 if (ldap_count_entries(conn, msg) > 1)
 203                 {
 204                         ldap_msgfree(msg);
 205                         return false;
 206                 }
 207                 if ((entry = ldap_first_entry(conn, msg)) == NULL)
 208                 {
 209                         ldap_msgfree(msg);
 210                         return false;
 211                 }
 212                 authpass = strdup(opassword.c_str());
 213                 cred.bv_val = authpass;
 214                 cred.bv_len = opassword.length();
 215                 RAIILDAPString DN(ldap_get_dn(conn, entry));
 216                 if ((res = ldap_sasl_bind_s(conn, DN, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) == LDAP_SUCCESS)
 217                 {
 218                         free(authpass);
 219                         ldap_msgfree(msg);
 220                         return true;
 221                 }
 222                 else
 223                 {
 224                         free(authpass);
 225                         ldap_msgfree(msg);
 226                         return false;
 227                 }
 228         }
 229
 230         Version GetVersion() CXX11_OVERRIDE
 231         {
 232                 return Version("Adds the ability to authenticate opers via LDAP", VF_VENDOR);
 233         }
 234
 235 };
 236
 237 MODULE_INIT(ModuleLDAPAuth)