X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_ldapauth.cpp;h=8fc0ca0b01f9639b2c5b2e0e525cc18fc46b1c37;hb=6c2b6fa23d3a65ecdcebbf9154b8daa2e55727e9;hp=6b7c9d2198ecb122234ce643269b49b5805999b9;hpb=3fc88ba7c97a5db3bfbb0c422afd4e180271b348;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_ldapauth.cpp b/src/modules/m_ldapauth.cpp index 6b7c9d219..8fc0ca0b0 100644 --- a/src/modules/m_ldapauth.cpp +++ b/src/modules/m_ldapauth.cpp @@ -1,14 +1,12 @@ /* * InspIRCd -- Internet Relay Chat Daemon * - * Copyright (C) 2013 Adam - * Copyright (C) 2011 Pierre Carrier - * Copyright (C) 2009-2010 Robin Burchell - * Copyright (C) 2009 Daniel De Graaf - * Copyright (C) 2008 Pippijn van Steenhoven - * Copyright (C) 2008 Craig Edwards - * Copyright (C) 2008 Dennis Friis - * Copyright (C) 2007 Carsten Valdemar Munk + * Copyright (C) 2020 Joel Sing + * Copyright (C) 2019 Sadie Powell + * Copyright (C) 2019 Robby + * Copyright (C) 2014-2015 Attila Molnar + * Copyright (C) 2014 Thiago Crepaldi + * Copyright (C) 2013-2014, 2017 Adam * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -64,7 +62,7 @@ class BindInterface : public LDAPInterface while (i < text.length() - 1 && isalpha(text[i + 1])) ++i; - std::string key = text.substr(start, (i - start) + 1); + std::string key(text, start, (i - start) + 1); result.append(replacements[key]); } else @@ -90,8 +88,8 @@ class BindInterface : public LDAPInterface if (pos == std::string::npos) // malformed continue; - std::string key = dnPart.substr(0, pos); - std::string value = dnPart.substr(pos + 1, dnPart.length() - pos + 1); // +1s to skip the = itself + std::string key(dnPart, 0, pos); + std::string value(dnPart, pos + 1, dnPart.length() - pos + 1); // +1s to skip the = itself dnParts[key] = value; } @@ -121,6 +119,9 @@ class BindInterface : public LDAPInterface if (!checkingAttributes && requiredattributes.empty()) { + if (verbose) + ServerInstance->SNO->WriteToSnoMask('c', "Successful connection from %s (dn=%s)", user->GetFullRealHost().c_str(), DN.c_str()); + // We're done, there are no attributes to check SetVHost(user, DN); authed->set(user, 1); @@ -137,6 +138,9 @@ class BindInterface : public LDAPInterface // Only one has to pass passed = true; + if (verbose) + ServerInstance->SNO->WriteToSnoMask('c', "Successful connection from %s (dn=%s)", user->GetFullRealHost().c_str(), DN.c_str()); + SetVHost(user, DN); authed->set(user, 1); } @@ -174,7 +178,7 @@ class BindInterface : public LDAPInterface if (!attrCount) { if (verbose) - ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (unable to validate attributes)", user->GetFullRealHost().c_str()); + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (dn=%s) (unable to validate attributes)", user->GetFullRealHost().c_str(), DN.c_str()); ServerInstance->Users->QuitUser(user, killreason); delete this; } @@ -216,7 +220,7 @@ class SearchInterface : public LDAPInterface void OnResult(const LDAPResult& r) CXX11_OVERRIDE { - LocalUser* user = static_cast(ServerInstance->FindUUID(uid)); + LocalUser* user = IS_LOCAL(ServerInstance->FindUUID(uid)); dynamic_reference LDAP(me, provider); if (!LDAP || r.empty() || !user) { @@ -232,8 +236,7 @@ class SearchInterface : public LDAPInterface std::string bindDn = a.get("dn"); if (bindDn.empty()) { - if (user) - ServerInstance->Users->QuitUser(user, killreason); + ServerInstance->Users->QuitUser(user, killreason); delete this; return; } @@ -257,6 +260,43 @@ class SearchInterface : public LDAPInterface } }; +class AdminBindInterface : public LDAPInterface +{ + const std::string provider; + const std::string uuid; + const std::string base; + const std::string what; + + public: + AdminBindInterface(Module* c, const std::string& p, const std::string& u, const std::string& b, const std::string& w) + : LDAPInterface(c), provider(p), uuid(u), base(b), what(w) + { + } + + void OnResult(const LDAPResult& r) CXX11_OVERRIDE + { + dynamic_reference LDAP(me, provider); + if (LDAP) + { + try + { + LDAP->Search(new SearchInterface(this->creator, provider, uuid), base, what); + } + catch (LDAPException& ex) + { + ServerInstance->SNO->WriteToSnoMask('a', "Error searching LDAP server: " + ex.GetReason()); + } + } + delete this; + } + + void OnError(const LDAPResult& err) CXX11_OVERRIDE + { + ServerInstance->SNO->WriteToSnoMask('a', "Error binding as manager to LDAP server: " + err.getError()); + delete this; + } +}; + class ModuleLDAPAuth : public Module { dynamic_reference LDAP; @@ -264,15 +304,15 @@ class ModuleLDAPAuth : public Module LocalStringExt ldapVhost; std::string base; std::string attribute; - std::string allowpattern; + std::vector allowpatterns; std::vector whitelistedcidrs; bool useusername; public: ModuleLDAPAuth() : LDAP(this, "LDAP") - , ldapAuthed("ldapauth", this) - , ldapVhost("ldapauth_vhost", this) + , ldapAuthed("ldapauth", ExtensionItem::EXT_USER, this) + , ldapVhost("ldapauth_vhost", ExtensionItem::EXT_USER, this) { me = this; authed = &ldapAuthed; @@ -287,7 +327,6 @@ public: base = tag->getString("baserdn"); attribute = tag->getString("attribute"); - allowpattern = tag->getString("allowpattern"); killreason = tag->getString("killreason"); vhost = tag->getString("host"); // Set to true if failed connects should be reported to operators @@ -316,6 +355,13 @@ public: if (!attr.empty() && !val.empty()) requiredattributes.push_back(make_pair(attr, val)); } + + std::string allowpattern = tag->getString("allowpattern"); + irc::spacesepstream ss(allowpattern); + for (std::string more; ss.GetToken(more); ) + { + allowpatterns.push_back(more); + } } void OnUserConnect(LocalUser *user) CXX11_OVERRIDE @@ -330,10 +376,13 @@ public: ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE { - if ((!allowpattern.empty()) && (InspIRCd::Match(user->nick,allowpattern))) + for (std::vector::const_iterator i = allowpatterns.begin(); i != allowpatterns.end(); ++i) { - ldapAuthed.set(user,1); - return MOD_RES_PASSTHRU; + if (InspIRCd::Match(user->nick, *i)) + { + ldapAuthed.set(user,1); + return MOD_RES_PASSTHRU; + } } for (std::vector::iterator i = whitelistedcidrs.begin(); i != whitelistedcidrs.end(); i++) @@ -348,7 +397,7 @@ public: if (user->password.empty()) { if (verbose) - ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (No password provided)", user->GetFullRealHost().c_str()); + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (no password provided)", user->GetFullRealHost().c_str()); ServerInstance->Users->QuitUser(user, killreason); return MOD_RES_DENY; } @@ -356,17 +405,28 @@ public: if (!LDAP) { if (verbose) - ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (Unable to find LDAP provider)", user->GetFullRealHost().c_str()); + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (unable to find LDAP provider)", user->GetFullRealHost().c_str()); ServerInstance->Users->QuitUser(user, killreason); return MOD_RES_DENY; } - try + std::string what; + std::string::size_type pos = user->password.find(':'); + if (pos != std::string::npos) { - LDAP->BindAsManager(NULL); + what = attribute + "=" + user->password.substr(0, pos); - std::string what = attribute + "=" + (useusername ? user->ident : user->nick); - LDAP->Search(new SearchInterface(this, LDAP.GetProvider(), user->uuid), base, what); + // Trim the user: prefix, leaving just 'pass' for later password check + user->password = user->password.substr(pos + 1); + } + else + { + what = attribute + "=" + (useusername ? user->ident : user->nick); + } + + try + { + LDAP->BindAsManager(new AdminBindInterface(this, LDAP.GetProvider(), user->uuid, base, what)); } catch (LDAPException &ex) { @@ -384,7 +444,7 @@ public: Version GetVersion() CXX11_OVERRIDE { - return Version("Allow/Deny connections based upon answer from LDAP server", VF_VENDOR); + return Version("Allows connecting users to be authenticated against an LDAP database.", VF_VENDOR); } };