extras/m_ldapauth: CIDR-based whitelisting

Offer host-based whitelisting in the ldap module.

Used to trust clients from internal networks,
whilst requiring authentication from "outsiders".

diff --git a/docs/modules.conf.example b/docs/modules.conf.example
index 8ae47d81f32192965a5ab138710a0cbc5ecc7dae..21ee3d8291970ca523c078520512ff23564320b3 100644 (file)
--- a/docs/modules.conf.example
+++ b/docs/modules.conf.example
@@ -960,6 +960,8 @@
 #           bindauth="mysecretpass"                                   #
 #           verbose="yes">                                            #
 #                                                                     #
+# <ldapwhitelist cidr="10.42.0.0/16">                                 #
+#                                                                     #
 # The baserdn indicates the base DN to search in for users. Usually   #
 # this is 'ou=People,dc=yourdomain,dc=yourtld'.                       #
 #                                                                     #
@@ -987,6 +989,14 @@
 # allow anonymous searching in which case these two values do not     #
 # need defining, otherwise they should be set similar to the examples #
 # above.                                                              #
+#                                                                     #
+# ldapwhitelist indicates that clients connecting from an IP in the   #
+# provided CIDR do not need to authenticate against LDAP. It can be   #
+# repeated to whitelist multiple CIDRs.                               #
+
+# ldapwhitelist indicates that clients connecting from the associated #
+# CIDR do  to authenticate against LDAP. It can be used multiple      #
+# times.                                                              #
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # LDAP oper configuration module: Adds the ability to authenticate    #

diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp
index 4fae7a2e751209f6b3efb30324624ab799fbff0e..a3d80b8f3a254526552928603a73b7eac54bbec7 100644 (file)
--- a/src/modules/extra/m_ldapauth.cpp
+++ b/src/modules/extra/m_ldapauth.cpp
@@ -46,6 +46,7 @@ class ModuleLDAPAuth : public Module
        std::string killreason;
        std::string username;
        std::string password;
+       std::vector<std::string> whitelistedcidrs;
        int searchscope;
        bool verbose;
        bool useusername;
@@ -73,6 +74,7 @@ public:
        void OnRehash(User* user)
        {
                ConfigReader Conf;
+               whitelistedcidrs.clear();
 
                base                    = Conf.ReadValue("ldapauth", "baserdn", 0);
                attribute               = Conf.ReadValue("ldapauth", "attribute", 0);
@@ -85,6 +87,16 @@ public:
                verbose                 = Conf.ReadFlag("ldapauth", "verbose", 0);              /* Set to true if failed connects should be reported to operators */
                useusername             = Conf.ReadFlag("ldapauth", "userfield", 0);
 
+               ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist");
+
+               for (ConfigIter i = whitelisttags.first; i != whitelisttags.second; ++i)
+               {
+                       std::string cidr = i->second->getString("cidr");
+                       if (!cidr.empty()) {
+                               whitelistedcidrs.push_back(cidr);
+                       }
+               }
+
                if (scope == "base")
                        searchscope = LDAP_SCOPE_BASE;
                else if (scope == "onelevel")
@@ -128,6 +140,15 @@ public:
                        return MOD_RES_PASSTHRU;
                }
 
+               for (std::vector<std::string>::iterator i = whitelistedcidrs.begin(); i != whitelistedcidrs.end(); i++)
+               {
+                       if (InspIRCd::MatchCIDR(user->GetIPString(), *i, ascii_case_insensitive_map))
+                       {
+                               ldapAuthed.set(user,1);
+                               return MOD_RES_PASSTHRU;
+                       }
+               }
+
                if (!CheckCredentials(user))
                {
                        ServerInstance->Users->QuitUser(user, killreason);