From 16cbb628161960eb87d5b2e8bdd62842b8eb0723 Mon Sep 17 00:00:00 2001
From: Pierre Carrier <pierre@spotify.com>
Date: Wed, 14 Sep 2011 15:24:55 +0200
Subject: [PATCH] extras/m_ldapauth: CIDR-based whitelisting

Offer host-based whitelisting in the ldap module.

Used to trust clients from internal networks,
whilst requiring authentication from "outsiders".
---
 docs/modules.conf.example        | 10 ++++++++++
 src/modules/extra/m_ldapauth.cpp | 21 +++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/docs/modules.conf.example b/docs/modules.conf.example
index 8ae47d81f..21ee3d829 100644
--- a/docs/modules.conf.example
+++ b/docs/modules.conf.example
@@ -960,6 +960,8 @@
 #           bindauth="mysecretpass"                                   #
 #           verbose="yes">                                            #
 #                                                                     #
+# <ldapwhitelist cidr="10.42.0.0/16">                                 #
+#                                                                     #
 # The baserdn indicates the base DN to search in for users. Usually   #
 # this is 'ou=People,dc=yourdomain,dc=yourtld'.                       #
 #                                                                     #
@@ -987,6 +989,14 @@
 # allow anonymous searching in which case these two values do not     #
 # need defining, otherwise they should be set similar to the examples #
 # above.                                                              #
+#                                                                     #
+# ldapwhitelist indicates that clients connecting from an IP in the   #
+# provided CIDR do not need to authenticate against LDAP. It can be   #
+# repeated to whitelist multiple CIDRs.                               #
+
+# ldapwhitelist indicates that clients connecting from the associated #
+# CIDR do  to authenticate against LDAP. It can be used multiple      #
+# times.                                                              #
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # LDAP oper configuration module: Adds the ability to authenticate    #
diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp
index 4fae7a2e7..a3d80b8f3 100644
--- a/src/modules/extra/m_ldapauth.cpp
+++ b/src/modules/extra/m_ldapauth.cpp
@@ -46,6 +46,7 @@ class ModuleLDAPAuth : public Module
 	std::string killreason;
 	std::string username;
 	std::string password;
+	std::vector<std::string> whitelistedcidrs;
 	int searchscope;
 	bool verbose;
 	bool useusername;
@@ -73,6 +74,7 @@ public:
 	void OnRehash(User* user)
 	{
 		ConfigReader Conf;
+		whitelistedcidrs.clear();
 
 		base 			= Conf.ReadValue("ldapauth", "baserdn", 0);
 		attribute		= Conf.ReadValue("ldapauth", "attribute", 0);
@@ -85,6 +87,16 @@ public:
 		verbose			= Conf.ReadFlag("ldapauth", "verbose", 0);		/* Set to true if failed connects should be reported to operators */
 		useusername		= Conf.ReadFlag("ldapauth", "userfield", 0);
 
+		ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist");
+
+		for (ConfigIter i = whitelisttags.first; i != whitelisttags.second; ++i)
+		{
+			std::string cidr = i->second->getString("cidr");
+			if (!cidr.empty()) {
+				whitelistedcidrs.push_back(cidr);
+			}
+		}
+
 		if (scope == "base")
 			searchscope = LDAP_SCOPE_BASE;
 		else if (scope == "onelevel")
@@ -128,6 +140,15 @@ public:
 			return MOD_RES_PASSTHRU;
 		}
 
+		for (std::vector<std::string>::iterator i = whitelistedcidrs.begin(); i != whitelistedcidrs.end(); i++)
+		{
+			if (InspIRCd::MatchCIDR(user->GetIPString(), *i, ascii_case_insensitive_map))
+			{
+				ldapAuthed.set(user,1);
+				return MOD_RES_PASSTHRU;
+			}
+		}
+
 		if (!CheckCredentials(user))
 		{
 			ServerInstance->Users->QuitUser(user, killreason);
-- 
2.39.5