1
0
mirror of https://github.com/anope/anope.git synced 2026-07-10 02:03:13 +02:00

m_ldap_authentication: Removed the dependency on a specific binddn in favour of searching the tree for matching criteria and using the returned DN

This commit is contained in:
Jeremy
2012-05-15 17:19:50 -04:00
committed by Adam
parent 90b0283160
commit ef88385d85
2 changed files with 100 additions and 40 deletions
+13 -2
View File
@@ -101,6 +101,10 @@ ldap
{
server = "ldap://127.0.0.1"
port = 389
/*
* Admin credentials used for performing searches and adding users.
*/
admin_binddn = "cn=Manager,dc=anope,dc=org"
admin_password = "secret"
}
@@ -115,9 +119,16 @@ ldap
m_ldap_authentication
{
/*
* The distinguished name we should bind to when a user tries to identify.
* The distinguished name used for searching for users's accounts.
*/
binddn = "ou=users,dc=anope,dc=org"
basedn = "ou=users,dc=anope,dc=org"
/*
* The search filter used to look up users's accounts.
* %account is replaced with the user's account
* %object_class is replaced with the object_class configured below.
*/
search_filter = "(&(uid=%account)(objectClass=%object_class))"
/*
* The object class used by LDAP to store user account information.
+87 -38
View File
@@ -2,7 +2,11 @@
#include "nickserv.h"
#include "ldap.h"
static Anope::string basedn;
static Anope::string search_filter;
static Anope::string object_class;
static Anope::string email_attribute;
static Anope::string username_attribute;
struct IdentifyInfo
{
@@ -12,10 +16,18 @@ struct IdentifyInfo
std::vector<Anope::string> params;
Anope::string account;
Anope::string pass;
Anope::string dn;
service_reference<LDAPProvider> lprov;
bool admin_bind;
IdentifyInfo(User *u, Command *c, CommandSource &s, const std::vector<Anope::string> &pa, const Anope::string &a, const Anope::string &p) : user(u), command(c), source(s), params(pa), account(a), pass(p) { }
IdentifyInfo(User *u, Command *c, CommandSource &s, const std::vector<Anope::string> &pa, const Anope::string &a, const Anope::string &p, service_reference<LDAPProvider> &lp) :
user(u), command(c), source(s), params(pa), account(a), pass(p), lprov(lp), admin_bind(true) { }
};
struct ExtensibleString : Anope::string, ExtensibleItem
{
ExtensibleString(const Anope::string &s) : Anope::string(s) { }
};
class IdentifyInterface : public LDAPInterface
{
@@ -40,34 +52,71 @@ class IdentifyInterface : public LDAPInterface
IdentifyInfo *ii = it->second;
this->requests.erase(it);
if (!ii->user || !ii->command)
if (!ii->user || !ii->command || !ii->lprov)
{
delete this;
return;
}
User *u = ii->user;
Command *c = ii->command;
u->Extend("m_ldap_authentication_authenticated", NULL);
NickAlias *na = findnick(ii->account);
if (na == NULL)
switch (r.type)
{
na = new NickAlias(ii->account, new NickCore(ii->account));
if (Config->NSAddAccessOnReg)
na->nc->AddAccess(create_mask(u));
case LDAPResult::QUERY_SEARCH:
{
try
{
const LDAPAttributes &attr = r.get(0);
ii->dn = attr.get("dn");
Log(LOG_DEBUG) << "m_ldap_authenticationn: binding as " << ii->dn;
LDAPQuery id = ii->lprov->Bind(this, ii->dn, ii->pass);
this->Add(id, ii);
}
catch (const LDAPException &ex)
{
Log() << "m_ldap_authentication: Error binding after search: " << ex.GetReason();
}
break;
}
case LDAPResult::QUERY_BIND:
{
if (ii->admin_bind)
{
Anope::string sf = search_filter.replace_all_cs("%account", ii->account).replace_all_cs("%object_class", object_class);
Log(LOG_DEBUG) << "m_ldap_authentication: searching for " << sf;
LDAPQuery id = ii->lprov->Search(this, basedn, sf);
this->Add(id, ii);
ii->admin_bind = false;
}
else
{
User *u = ii->user;
Command *c = ii->command;
const BotInfo *bi = findbot(Config->NickServ);
if (bi)
u->SendMessage(bi, _("Your account \002%s\002 has been successfully created."), na->nick.c_str());
}
u->Extend("m_ldap_authentication_authenticated", NULL);
NickAlias *na = findnick(ii->account);
if (na == NULL)
{
na = new NickAlias(ii->account, new NickCore(ii->account));
if (Config->NSAddAccessOnReg)
na->nc->AddAccess(create_mask(u));
enc_encrypt(ii->pass, na->nc->pass);
BotInfo *bi = findbot(Config->NickServ);
if (bi)
u->SendMessage(bi, _("Your account \002%s\002 has been successfully created."), na->nick.c_str());
}
c->Execute(ii->source, ii->params);
delete ii;
na->nc->Extend("m_ldap_authentication_dn", new ExtensibleString(ii->dn));
enc_encrypt(ii->pass, na->nc->pass);
c->Execute(ii->source, ii->params);
delete ii;
}
break;
}
default:
delete ii;
}
}
void OnError(const LDAPResult &r) anope_override
@@ -123,11 +172,10 @@ class OnIdentifyInterface : public LDAPInterface
const LDAPAttributes &attr = r.get(0);
Anope::string email = attr.get(email_attribute);
NickCore *nc = u->Account();
if (!email.equals_ci(nc->email))
if (!email.equals_ci(u->Account()->email))
{
nc->email = email;
const BotInfo *bi = findbot(Config->NickServ);
u->Account()->email = email;
BotInfo *bi = findbot(Config->NickServ);
if (bi)
u->SendMessage(bi, _("Your email has been updated to \002%s\002"), email.c_str());
Log() << "m_ldap_authentication: Updated email address for " << u->nick << " (" << u->Account()->display << ") to " << email;
@@ -169,9 +217,6 @@ class NSIdentifyLDAP : public Module
OnIdentifyInterface oninterface;
OnRegisterInterface orinterface;
Anope::string binddn;
Anope::string object_class;
Anope::string username_attribute;
Anope::string password_attribute;
bool disable_register;
Anope::string disable_reason;
@@ -192,9 +237,10 @@ class NSIdentifyLDAP : public Module
{
ConfigReader config;
this->binddn = config.ReadValue("m_ldap_authentication", "binddn", "", 0);
this->object_class = config.ReadValue("m_ldap_authentication", "object_class", "", 0);
this->username_attribute = config.ReadValue("m_ldap_authentication", "username_attribute", "", 0);
basedn = config.ReadValue("m_ldap_authentication", "basedn", "", 0);
search_filter = config.ReadValue("m_ldap_authentication", "search_filter", "", 0);
object_class = config.ReadValue("m_ldap_authentication", "object_class", "", 0);
username_attribute = config.ReadValue("m_ldap_authentication", "username_attribute", "", 0);
this->password_attribute = config.ReadValue("m_ldap_authentication", "password_attribute", "", 0);
email_attribute = config.ReadValue("m_ldap_authentication", "email_attribute", "", 0);
this->disable_register = config.ReadFlag("m_ldap_authentication", "disable_ns_register", "false", 0);
@@ -230,11 +276,10 @@ class NSIdentifyLDAP : public Module
return EVENT_CONTINUE;
}
IdentifyInfo *ii = new IdentifyInfo(u, c, *source, params, account, password);
IdentifyInfo *ii = new IdentifyInfo(u, c, *source, params, account, password, this->ldap);
try
{
Anope::string full_binddn = this->username_attribute + "=" + account + "," + this->binddn;
LDAPQuery id = this->ldap->Bind(&this->iinterface, full_binddn, password);
LDAPQuery id = this->ldap->BindAsAdmin(&this->iinterface);
this->iinterface.Add(id, ii);
}
catch (const LDAPException &ex)
@@ -249,12 +294,16 @@ class NSIdentifyLDAP : public Module
void OnNickIdentify(User *u) anope_override
{
if (email_attribute.empty() || !this->ldap)
if (email_attribute.empty() || !this->ldap || !u->Account()->HasExt("m_ldap_authentication_dn"))
return;
Anope::string *dn = u->Account()->GetExt<ExtensibleString *>("m_ldap_authentication_dn");
if (!dn || dn->empty())
return;
try
{
LDAPQuery id = this->ldap->Search(&this->oninterface, this->binddn, "(" + this->username_attribute + "=" + u->Account()->display + ")");
LDAPQuery id = this->ldap->Search(&this->oninterface, *dn, "(" + email_attribute + "=*)");
this->oninterface.Add(id, u->nick);
}
catch (const LDAPException &ex)
@@ -277,9 +326,9 @@ class NSIdentifyLDAP : public Module
attributes[0].name = "objectClass";
attributes[0].values.push_back("top");
attributes[0].values.push_back(this->object_class);
attributes[0].values.push_back(object_class);
attributes[1].name = this->username_attribute;
attributes[1].name = username_attribute;
attributes[1].values.push_back(na->nick);
if (!na->nc->email.empty())
@@ -291,7 +340,7 @@ class NSIdentifyLDAP : public Module
attributes[3].name = this->password_attribute;
attributes[3].values.push_back(na->nc->pass);
Anope::string new_dn = this->username_attribute + "=" + na->nick + "," + this->binddn;
Anope::string new_dn = username_attribute + "=" + na->nick + "," + basedn;
this->ldap->Add(&this->orinterface, new_dn, attributes);
}
catch (const LDAPException &ex)