X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ldapauth.cpp;h=6c765fb2ece23f9b0b586d4b964349024f965906;hb=fba9bbe4cd29744fe30753f63a37102f664e36bc;hp=f908e7f764ff78fba456f17e802a836547d59894;hpb=83a89fc3f61a90275f86981fc32b1daa8e85d1b0;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp
index f908e7f76..6c765fb2e 100644
--- a/src/modules/extra/m_ldapauth.cpp
+++ b/src/modules/extra/m_ldapauth.cpp
@@ -31,16 +31,71 @@
 #include <ldap.h>
 
 #ifdef _WIN32
-# pragma comment(lib, "ldap.lib")
-# pragma comment(lib, "lber.lib")
+# pragma comment(lib, "libldap.lib")
+# pragma comment(lib, "liblber.lib")
 #endif
 
 /* $ModDesc: Allow/Deny connections based upon answer from LDAP server */
 /* $LinkerFlags: -lldap */
 
+struct RAIILDAPString
+{
+	char *str;
+
+	RAIILDAPString(char *Str)
+		: str(Str)
+	{
+	}
+
+	~RAIILDAPString()
+	{
+		ldap_memfree(str);
+	}
+
+	operator char*()
+	{
+		return str;
+	}
+
+	operator std::string()
+	{
+		return str;
+	}
+};
+
+struct RAIILDAPMessage
+{
+	RAIILDAPMessage()
+	{
+	}
+
+	~RAIILDAPMessage()
+	{
+		dealloc();
+	}
+
+	void dealloc()
+	{
+		ldap_msgfree(msg);
+	}
+
+	operator LDAPMessage*()
+	{
+		return msg;
+	}
+
+	LDAPMessage **operator &()
+	{
+		return &msg;
+	}
+
+	LDAPMessage *msg;
+};
+
 class ModuleLDAPAuth : public Module
 {
 	LocalIntExt ldapAuthed;
+	LocalStringExt ldapVhost;
 	std::string base;
 	std::string attribute;
 	std::string ldapserver;
@@ -48,6 +103,7 @@ class ModuleLDAPAuth : public Module
 	std::string killreason;
 	std::string username;
 	std::string password;
+	std::string vhost;
 	std::vector<std::string> whitelistedcidrs;
 	std::vector<std::pair<std::string, std::string> > requiredattributes;
 	int searchscope;
@@ -56,15 +112,19 @@ class ModuleLDAPAuth : public Module
 	LDAP *conn;
 
 public:
-	ModuleLDAPAuth() : ldapAuthed("ldapauth", this)
+	ModuleLDAPAuth()
+		: ldapAuthed("ldapauth", this)
+		, ldapVhost("ldapauth_vhost", this)
 	{
 		conn = NULL;
 	}
 
 	void init()
 	{
-		Implementation eventlist[] = { I_OnCheckReady, I_OnRehash, I_OnUserRegister };
-		ServerInstance->Modules->Attach(eventlist, this, 3);
+		ServerInstance->Modules->AddService(ldapAuthed);
+		ServerInstance->Modules->AddService(ldapVhost);
+		Implementation eventlist[] = { I_OnCheckReady, I_OnRehash,I_OnUserRegister, I_OnUserConnect };
+		ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 		OnRehash(NULL);
 	}
 
@@ -88,6 +148,7 @@ public:
 		std::string scope	= tag->getString("searchscope");
 		username		= tag->getString("binddn");
 		password		= tag->getString("bindauth");
+		vhost			= tag->getString("host");
 		verbose			= tag->getBool("verbose");		/* Set to true if failed connects should be reported to operators */
 		useusername		= tag->getBool("userfield");
 
@@ -147,6 +208,42 @@ public:
 		return true;
 	}
 
+	std::string SafeReplace(const std::string &text, std::map<std::string,
+			std::string> &replacements)
+	{
+		std::string result;
+		result.reserve(MAXBUF);
+
+		for (unsigned int i = 0; i < text.length(); ++i) {
+			char c = text[i];
+			if (c == '$') {
+				// find the first nonalpha
+				i++;
+				unsigned int start = i;
+
+				while (i < text.length() - 1 && isalpha(text[i + 1]))
+					++i;
+
+				std::string key = text.substr(start, (i - start) + 1);
+				result.append(replacements[key]);
+			} else {
+				result.push_back(c);
+			}
+		}
+
+	   return result;
+	}
+
+	virtual void OnUserConnect(LocalUser *user)
+	{
+		std::string* cc = ldapVhost.get(user);
+		if (cc)
+		{
+			user->ChangeDisplayedHost(cc->c_str());
+			ldapVhost.unset(user);
+		}
+	}
+
 	ModResult OnUserRegister(LocalUser* user)
 	{
 		if ((!allowpattern.empty()) && (InspIRCd::Match(user->nick,allowpattern)))
@@ -212,7 +309,7 @@ public:
 			}
 		}
 
-		LDAPMessage *msg, *entry;
+		RAIILDAPMessage msg;
 		std::string what = (attribute + "=" + (useusername ? user->ident : user->nick));
 		if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS)
 		{
@@ -221,6 +318,11 @@ public:
 			size_t pos = user->password.find(":");
 			if (pos != std::string::npos)
 			{
+				// manpage says we must deallocate regardless of success or failure
+				// since we're about to do another query (and reset msg), first
+				// free the old one.
+				msg.dealloc();
+
 				std::string cutpassword = user->password.substr(0, pos);
 				res = ldap_search_ext_s(conn, base.c_str(), searchscope, cutpassword.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg);
 
@@ -243,23 +345,23 @@ public:
 		{
 			if (verbose)
 				ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search returned more than one result: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
-			ldap_msgfree(msg);
 			return false;
 		}
+
+		LDAPMessage *entry;
 		if ((entry = ldap_first_entry(conn, msg)) == NULL)
 		{
 			if (verbose)
 				ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
-			ldap_msgfree(msg);
 			return false;
 		}
 		cred.bv_val = (char*)user->password.data();
 		cred.bv_len = user->password.length();
-		if ((res = ldap_sasl_bind_s(conn, ldap_get_dn(conn, entry), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS)
+		RAIILDAPString DN(ldap_get_dn(conn, entry));
+		if ((res = ldap_sasl_bind_s(conn, DN, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL)) != LDAP_SUCCESS)
 		{
 			if (verbose)
 				ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (%s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
-			ldap_msgfree(msg);
 			return false;
 		}
 
@@ -278,7 +380,7 @@ public:
 
 				ServerInstance->Logs->Log("m_ldapauth", DEBUG, "LDAP compare: %s=%s", attr.c_str(), val.c_str());
 
-				authed = (ldap_compare_ext_s(conn, ldap_get_dn(conn, entry), attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE);
+				authed = (ldap_compare_ext_s(conn, DN, attr.c_str(), &attr_value, NULL, NULL) == LDAP_COMPARE_TRUE);
 
 				if (authed)
 					break;
@@ -286,12 +388,35 @@ public:
 
 			if (!authed)
 			{
-				ldap_msgfree(msg);
+				if (verbose)
+					ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (Lacks required LDAP attributes)", user->GetFullRealHost().c_str());
 				return false;
 			}
 		}
 
-		ldap_msgfree(msg);
+		if (!vhost.empty())
+		{
+			irc::commasepstream stream(DN);
+
+			// mashed map of key:value parts of the DN
+			std::map<std::string, std::string> dnParts;
+
+			std::string dnPart;
+			while (stream.GetToken(dnPart))
+			{
+				std::string::size_type pos = dnPart.find('=');
+				if (pos == std::string::npos) // malformed
+					continue;
+
+				std::string key = dnPart.substr(0, pos);
+				std::string value = dnPart.substr(pos + 1, dnPart.length() - pos + 1); // +1s to skip the = itself
+				dnParts[key] = value;
+			}
+
+			// change host according to config key
+			ldapVhost.set(user, SafeReplace(vhost, dnParts));
+		}
+
 		ldapAuthed.set(user,1);
 		return true;
 	}