OpenSolaris_b135/lib/libsldap/common/ns_standalone.c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#define __STANDALONE_MODULE__
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <libintl.h>
#include <string.h>
#include <ctype.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <syslog.h>
#include <locale.h>
#include <errno.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <strings.h>
#include <thread.h>
#include <nsswitch.h>
#include <nss_dbdefs.h>
#include <nss.h>
#include "ns_cache_door.h"
#include "ns_internal.h"
#include "ns_connmgmt.h"
typedef enum {
INFO_SERVER_JUST_INITED = -1,
INFO_SERVER_UNKNOWN = 0,
INFO_SERVER_CONNECTING = 1,
INFO_SERVER_UP = 2,
INFO_SERVER_ERROR = 3,
INFO_SERVER_REMOVED = 4
} dir_server_status_t;
typedef enum {
INFO_STATUS_NEW = 2,
INFO_STATUS_OLD = 3
} dir_server_info_t;
typedef struct dir_server {
char *ip;
char **controls;
char **saslMech;
dir_server_status_t status;
mutex_t updateStatus;
dir_server_info_t info;
} dir_server_t;
typedef struct dir_server_list {
dir_server_t **nsServers;
rwlock_t listDestroyLock;
} dir_server_list_t;
struct {
/* The local list of the directory servers' root DSEs. */
dir_server_list_t *list;
/* The flag indicating if libsldap is in the 'Standalone' mode. */
int standalone;
/*
* The mutex ensuring that only one thread performs
* the initialization of the list.
*/
mutex_t listReplaceLock;
/*
* A flag indicating that a particular thread is
* in the 'ldap_cachemgr' mode. It is stored by thread as
* a thread specific data.
*/
const int initFlag;
/*
* A thread specific key storing
* the the 'ldap_cachemgr' mode indicator.
*/
thread_key_t standaloneInitKey;
} dir_servers = {NULL, 0, DEFAULTMUTEX, '1'};
typedef struct switchDatabase {
char *conf;
uint32_t alloced;
} switch_database_t;
static thread_key_t switchConfigKey;
#pragma init(createStandaloneKey)
#define DONT_INCLUDE_ATTR_NAMES 0
#define INCLUDE_ATTR_NAMES 1
#define IS_PROFILE 1
#define NOT_PROFILE 0
/* INET6_ADDRSTRLEN + ":" + <5-digit port> + some round-up */
#define MAX_HOSTADDR_LEN (INET6_ADDRSTRLEN + 6 + 12)
static
void
switch_conf_disposer(void *data)
{
switch_database_t *localData = (switch_database_t *)data;
free(localData->conf);
free(localData);
}
/*
* This function initializes an indication that a thread obtaining a root DSE
* will be switched to the 'ldap_cachemgr' mode. Within the thread libsldap
* will not invoke the __s_api_requestServer function. Instead, the library
* will establish a connection to the server specified by
* the __ns_ldap_getRootDSE function.
* Since ldap_cachmgr can obtain a DUAProfile and root DSEs at the same time
* and we do not want to affect a thread obtaining a DUAProfile,
* the 'ldap_cachemgr' mode is thread private.
* In addition, this function creates a key holding temporary configuration
* for the "hosts" and "ipnodes" databases which is used by the "SKIPDB"
* mechanism (__s_api_ip2hostname() & _s_api_hostname2ip()).
*/
static
void
createStandaloneKey()
{
if (thr_keycreate(&dir_servers.standaloneInitKey, NULL) != 0) {
syslog(LOG_ERR, gettext("libsldap: unable to create a thread "
"key needed for sharing ldap connections"));
}
if (thr_keycreate(&switchConfigKey, switch_conf_disposer) != 0) {
syslog(LOG_ERR, gettext("libsldap: unable to create a thread "
"key containing current nsswitch configuration"));
}
}
/*
* This function sets the 'ldap_cachemgr' mode indication.
*/
void
__s_api_setInitMode()
{
(void) thr_setspecific(dir_servers.standaloneInitKey,
(void *) &dir_servers.initFlag);
}
/*
* This function unset the 'ldap_cachemgr' mode indication.
*/
void
__s_api_unsetInitMode()
{
(void) thr_setspecific(dir_servers.standaloneInitKey, NULL);
}
/*
* This function checks if the 'ldap_cachemgr' mode indication is set.
*/
int
__s_api_isInitializing() {
int *flag = NULL;
(void) thr_getspecific(dir_servers.standaloneInitKey, (void **) &flag);
return (flag != NULL && *flag == dir_servers.initFlag);
}
/*
* This function checks if the process runs in the 'Standalone' mode.
* In this mode libsldap will check the local, process private list of root DSEs
* instead of requesting them via a door call to ldap_cachemgr.
*/
int
__s_api_isStandalone()
{
int mode;
(void) mutex_lock(&dir_servers.listReplaceLock);
mode = dir_servers.standalone;
(void) mutex_unlock(&dir_servers.listReplaceLock);
return (mode);
}
static
int
remove_ldap(char *dst, char *src, int dst_buf_len)
{
int i = 0;
if (strlen(src) >= dst_buf_len)
return (0);
while (*src != '\0') {
/* Copy up to one space from source. */
if (isspace(*src)) {
dst[i++] = *src;
while (isspace(*src))
src++;
}
/* If not "ldap", just copy. */
if (strncmp(src, "ldap", 4) != 0) {
while (!isspace(*src)) {
dst[i++] = *src++;
/* At the end of string? */
if (dst[i-1] == '\0')
return (1);
}
/* Copy up to one space from source. */
if (isspace(*src)) {
dst[i++] = *src;
while (isspace(*src))
src++;
}
/* Copy also the criteria section */
if (*src == '[')
while (*src != ']') {
dst[i++] = *src++;
/* Shouln't happen if format is right */
if (dst[i-1] == '\0')
return (1);
}
}
/* If next part is ldap, skip over it ... */
if (strncmp(src, "ldap", 4) == 0) {
if (isspace(*(src+4)) || *(src+4) == '\0') {
src += 4;
while (isspace(*src))
src++;
if (*src == '[') {
while (*src++ != ']') {
/*
* See comment above about
* correct format.
*/
if (*src == '\0') {
dst[i++] = '\0';
return (1);
}
}
}
while (isspace(*src))
src++;
}
}
if (*src == '\0')
dst[i++] = '\0';
}
return (1);
}
static
char *
get_db(const char *db_name)
{
char *ptr;
switch_database_t *hostService = NULL;
FILE *fp = fopen(__NSW_CONFIG_FILE, "rF");
char *linep, line[NSS_BUFSIZ];
if (fp == NULL) {
syslog(LOG_WARNING, gettext("libsldap: can not read %s"),
__NSW_CONFIG_FILE);
return (NULL);
}
while ((linep = fgets(line, NSS_BUFSIZ, fp)) != NULL) {
while (isspace(*linep)) {
++linep;
}
if (*linep == '#') {
continue;
}
if (strncmp(linep, db_name, strlen(db_name)) != 0) {
continue;
}
if ((linep = strchr(linep, ':')) != NULL) {
if (linep[strlen(linep) - 1] == '\n') {
linep[strlen(linep) - 1] = '\0';
}
while (isspace(*++linep))
;
if ((ptr = strchr(linep, '#')) != NULL) {
while (--ptr >= linep && isspace(*ptr))
;
*(ptr + 1) = '\0';
}
if (strlen(linep) == 0) {
continue;
}
break;
}
}
(void) fclose(fp);
if (linep == NULL) {
syslog(LOG_WARNING,
gettext("libsldap: the %s database "
"is missing from %s"),
db_name,
__NSW_CONFIG_FILE);
return (NULL);
}
(void) thr_getspecific(switchConfigKey, (void **) &hostService);
if (hostService == NULL) {
hostService = calloc(1, sizeof (switch_database_t));
if (hostService == NULL) {
return (NULL);
}
(void) thr_setspecific(switchConfigKey, hostService);
}
/*
* In a long-living process threads can perform several
* getXbyY requests. And the windows between those requests
* can be long. The nsswitch configuration can change from time
* to time. So instead of allocating/freeing memory every time
* the API is called, reallocate memory only when the current
* configuration for the database being used is longer than
* the previous one.
*/
if (strlen(linep) >= hostService->alloced) {
ptr = (char *)realloc((void *)hostService->conf,
strlen(linep) + 1);
if (ptr == NULL) {
free((void *)hostService->conf);
hostService->conf = NULL;
hostService->alloced = 0;
return (NULL);
}
bzero(ptr, strlen(linep) + 1);
hostService->conf = ptr;
hostService->alloced = strlen(linep) + 1;
}
if (remove_ldap(hostService->conf, linep, hostService->alloced))
return (hostService->conf);
else
return (NULL);
}
static
void
_initf_ipnodes(nss_db_params_t *p)
{
char *services = get_db("ipnodes");
p->name = NSS_DBNAM_IPNODES;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = services == NULL ? "" : services;
}
static
void
_initf_hosts(nss_db_params_t *p)
{
char *services = get_db("hosts");
p->name = NSS_DBNAM_HOSTS;
p->flags |= NSS_USE_DEFAULT_CONFIG;
p->default_config = services == NULL ? "" : services;
}
/*
* This function is an analog of the standard gethostbyaddr_r()
* function with an exception that it removes the 'ldap' back-end
* (if any) from the host/ipnodes nsswitch's databases and then
* looks up using remaining back-ends.
*/
static
struct hostent *
_filter_gethostbyaddr_r(const char *addr, int len, int type,
struct hostent *result, char *buffer, int buflen,
int *h_errnop)
{
DEFINE_NSS_DB_ROOT(db_root_hosts);
DEFINE_NSS_DB_ROOT(db_root_ipnodes);
nss_XbyY_args_t arg;
nss_status_t res;
int (*str2ent)();
void (*nss_initf)();
nss_db_root_t *nss_db_root;
int dbop;
switch (type) {
case AF_INET:
str2ent = str2hostent;
nss_initf = _initf_hosts;
nss_db_root = &db_root_hosts;
dbop = NSS_DBOP_HOSTS_BYADDR;
break;
case AF_INET6:
str2ent = str2hostent6;
nss_initf = _initf_ipnodes;
nss_db_root = &db_root_ipnodes;
dbop = NSS_DBOP_IPNODES_BYADDR;
default:
return (NULL);
}
NSS_XbyY_INIT(&arg, result, buffer, buflen, str2ent);
arg.key.hostaddr.addr = addr;
arg.key.hostaddr.len = len;
arg.key.hostaddr.type = type;
arg.stayopen = 0;
arg.h_errno = NETDB_SUCCESS;
res = nss_search(nss_db_root, nss_initf, dbop, &arg);
arg.status = res;
*h_errnop = arg.h_errno;
return (struct hostent *)NSS_XbyY_FINI(&arg);
}
/*
* This routine is an analog of gethostbyaddr_r().
* But in addition __s_api_hostname2ip() performs the "LDAP SKIPDB" activity
* prior to querying the name services.
* If the buffer is not big enough to accommodate a returning data,
* NULL is returned and h_errnop is set to TRY_AGAIN.
*/
struct hostent *
__s_api_hostname2ip(const char *name,
struct hostent *result, char *buffer, int buflen,
int *h_errnop)
{
DEFINE_NSS_DB_ROOT(db_root_ipnodes);
DEFINE_NSS_DB_ROOT(db_root_hosts);
nss_XbyY_args_t arg;
nss_status_t res;
struct in_addr addr;
struct in6_addr addr6;
if (inet_pton(AF_INET, name, &addr) > 0) {
if (buflen < strlen(name) + 1 +
sizeof (char *) * 2 + /* The h_aliases member */
sizeof (struct in_addr) +
sizeof (struct in_addr *) * 2) {
*h_errnop = TRY_AGAIN;
return (NULL);
}
result->h_addrtype = AF_INET;
result->h_length = sizeof (struct in_addr);
(void) strncpy(buffer, name, buflen);
result->h_addr_list = (char **)ROUND_UP(
buffer + strlen(name) + 1,
sizeof (char *));
result->h_aliases = (char **)ROUND_UP(result->h_addr_list,
sizeof (char *));
result->h_aliases[0] = buffer;
result->h_aliases[1] = NULL;
bcopy(&addr,
buffer + buflen - sizeof (struct in_addr),
sizeof (struct in_addr));
result->h_addr_list[0] = buffer + buflen -
sizeof (struct in_addr);
result->h_addr_list[1] = NULL;
result->h_aliases = result->h_addr_list;
result->h_name = buffer;
*h_errnop = NETDB_SUCCESS;
return (result);
}
if (inet_pton(AF_INET6, name, &addr6) > 0) {
if (buflen < strlen(name) + 1 +
sizeof (char *) * 2 + /* The h_aliases member */
sizeof (struct in6_addr) +
sizeof (struct in6_addr *) * 2) {
*h_errnop = TRY_AGAIN;
return (NULL);
}
result->h_addrtype = AF_INET6;
result->h_length = sizeof (struct in6_addr);
(void) strncpy(buffer, name, buflen);
result->h_addr_list = (char **)ROUND_UP(
buffer + strlen(name) + 1,
sizeof (char *));
result->h_aliases = (char **)ROUND_UP(result->h_addr_list,
sizeof (char *));
result->h_aliases[0] = buffer;
result->h_aliases[1] = NULL;
bcopy(&addr6,
buffer + buflen - sizeof (struct in6_addr),
sizeof (struct in6_addr));
result->h_addr_list[0] = buffer + buflen -
sizeof (struct in6_addr);
result->h_addr_list[1] = NULL;
result->h_aliases = result->h_addr_list;
result->h_name = buffer;
*h_errnop = NETDB_SUCCESS;
return (result);
}
NSS_XbyY_INIT(&arg, result, buffer, buflen, str2hostent);
arg.key.name = name;
arg.stayopen = 0;
arg.h_errno = NETDB_SUCCESS;
res = nss_search(&db_root_ipnodes, _initf_ipnodes,
NSS_DBOP_IPNODES_BYNAME, &arg);
if (res == NSS_NOTFOUND || res == NSS_UNAVAIL) {
arg.h_errno = NETDB_SUCCESS;
res = nss_search(&db_root_hosts, _initf_hosts,
NSS_DBOP_HOSTS_BYNAME, &arg);
}
arg.status = res;
*h_errnop = arg.h_errno;
return ((struct hostent *)NSS_XbyY_FINI(&arg));
}
/*
* Convert an IP to a host name.
*/
ns_ldap_return_code
__s_api_ip2hostname(char *ipaddr, char **hostname) {
struct in_addr in;
struct in6_addr in6;
struct hostent *hp = NULL, hostEnt;
char buffer[NSS_BUFLEN_HOSTS];
int buflen = NSS_BUFLEN_HOSTS;
char *start = NULL,
*end = NULL,
delim = '\0';
char *port = NULL,
*addr = NULL;
int errorNum = 0,
len = 0;
if (ipaddr == NULL || hostname == NULL)
return (NS_LDAP_INVALID_PARAM);
*hostname = NULL;
if ((addr = strdup(ipaddr)) == NULL)
return (NS_LDAP_MEMORY);
if (addr[0] == '[') {
/*
* Assume it's [ipv6]:port
* Extract ipv6 IP
*/
start = &addr[1];
if ((end = strchr(addr, ']')) != NULL) {
*end = '\0';
delim = ']';
if (*(end + 1) == ':')
/* extract port */
port = end + 2;
} else {
free(addr);
return (NS_LDAP_INVALID_PARAM);
}
} else if ((end = strchr(addr, ':')) != NULL) {
/* assume it's ipv4:port */
*end = '\0';
delim = ':';
start = addr;
port = end + 1;
} else
/* No port */
start = addr;
if (inet_pton(AF_INET, start, &in) == 1) {
/* IPv4 */
hp = _filter_gethostbyaddr_r((char *)&in,
sizeof (in.s_addr),
AF_INET,
&hostEnt,
buffer,
buflen,
&errorNum);
if (hp && hp->h_name) {
/* hostname + '\0' */
len = strlen(hp->h_name) + 1;
if (port)
/* ':' + port */
len += strlen(port) + 1;
if ((*hostname = malloc(len)) == NULL) {
free(addr);
return (NS_LDAP_MEMORY);
}
if (port)
(void) snprintf(*hostname, len, "%s:%s",
hp->h_name, port);
else
(void) strlcpy(*hostname, hp->h_name, len);
free(addr);
return (NS_LDAP_SUCCESS);
} else {
free(addr);
return (NS_LDAP_NOTFOUND);
}
} else if (inet_pton(AF_INET6, start, &in6) == 1) {
/* IPv6 */
hp = _filter_gethostbyaddr_r((char *)&in6,
sizeof (in6.s6_addr),
AF_INET6,
&hostEnt,
buffer,
buflen,
&errorNum);
if (hp && hp->h_name) {
/* hostname + '\0' */
len = strlen(hp->h_name) + 1;
if (port)
/* ':' + port */
len += strlen(port) + 1;
if ((*hostname = malloc(len)) == NULL) {
free(addr);
return (NS_LDAP_MEMORY);
}
if (port)
(void) snprintf(*hostname, len, "%s:%s",
hp->h_name, port);
else
(void) strlcpy(*hostname, hp->h_name, len);
free(addr);
return (NS_LDAP_SUCCESS);
} else {
free(addr);
return (NS_LDAP_NOTFOUND);
}
} else {
/*
* A hostname
* Return it as is
*/
if (end)
*end = delim;
*hostname = addr;
return (NS_LDAP_SUCCESS);
}
}
/*
* This function obtains data returned by an LDAP search request and puts it
* in a string in the ldap_cachmgr(1) door call format.
*
* INPUT:
* ld - a pointer to an LDAP structure used for a search operation,
* result_msg - a pointer to an LDAPMessage returned by the search,
* include_names - if set to INCLUDE_ATTR_NAMES, the output buffer will
* contain attribute names.
* Otherwise, only values will be return.
*
* OUTPUT:
* a buffer containing server info in the following format:
* [<attribute name>=]value [DOORLINESEP [<attribute name>=]value ]...]
* Should be free'ed by the caller.
*/
static
ns_ldap_return_code
convert_to_door_line(LDAP* ld,
LDAPMessage *result_msg,
int include_names,
int is_profile,
char **door_line)
{
uint32_t total_length = 0, attr_len = 0, i;
LDAPMessage *e;
char *a, **vals;
BerElement *ber;
int seen_objectclass = 0, rewind = 0;
if (!door_line) {
return (NS_LDAP_INVALID_PARAM);
}
*door_line = NULL;
if ((e = ldap_first_entry(ld, result_msg)) == NULL) {
return (NS_LDAP_NOTFOUND);
}
/* calculate length of received data */
for (a = ldap_first_attribute(ld, e, &ber);
a != NULL;
a = ldap_next_attribute(ld, e, ber)) {
if ((vals = ldap_get_values(ld, e, a)) != NULL) {
for (i = 0; vals[i] != NULL; i++) {
total_length += (include_names ?
strlen(a) : 0) +
strlen(vals[i]) +
strlen(DOORLINESEP) +1;
}
ldap_value_free(vals);
}
ldap_memfree(a);
}
if (ber != NULL) {
ber_free(ber, 0);
}
if (total_length == 0) {
return (NS_LDAP_NOTFOUND);
}
/* copy the data */
/* add 1 for the last '\0' */
*door_line = (char *)malloc(total_length + 1);
if (*door_line == NULL) {
return (NS_LDAP_MEMORY);
}
/* make it an empty string first */
**door_line = '\0';
a = ldap_first_attribute(ld, e, &ber);
while (a != NULL) {
if (is_profile) {
/*
* If we're processing DUAConfigProfile, we need to make
* sure we put objectclass attribute first.
* __s_api_create_config_door_str depends on that.
*/
if (seen_objectclass) {
if (strcasecmp(a, "objectclass") == 0) {
/* Skip objectclass now. */
a = ldap_next_attribute(ld, e, ber);
continue;
}
} else {
if (strcasecmp(a, "objectclass") == 0) {
seen_objectclass = 1;
rewind = 1;
} else {
/* Skip all but objectclass first. */
a = ldap_next_attribute(ld, e, ber);
continue;
}
}
}
if ((vals = ldap_get_values(ld, e, a)) != NULL) {
for (i = 0; vals[i] != NULL; i++) {
if (include_names) {
attr_len += strlen(a);
}
attr_len += strlen(vals[i]) +
strlen(DOORLINESEP) + 2;
if (include_names) {
(void) snprintf(*door_line +
strlen(*door_line),
attr_len,
"%s=%s%s",
a, vals[i],
DOORLINESEP);
} else {
(void) snprintf(*door_line +
strlen(*door_line),
attr_len,
"%s%s",
vals[i],
DOORLINESEP);
}
}
ldap_value_free(vals);
}
ldap_memfree(a);
/* Rewind */
if (rewind) {
if (ber != NULL) {
ber_free(ber, 0);
}
a = ldap_first_attribute(ld, e, &ber);
rewind = 0;
} else {
a = ldap_next_attribute(ld, e, ber);
}
}
if (ber != NULL) {
ber_free(ber, 0);
}
if (e != result_msg) {
(void) ldap_msgfree(e);
}
return (NS_LDAP_SUCCESS);
}
/*
* This function looks up the base DN of a directory serving
* a specified domain name.
*
* INPUT:
* ld - a pointer to an LDAP structure used for the search operation,
* domain_name - the name of a domain.
*
* OUTPUT:
* a buffer containing a directory's base DN found.
* Should be free'ed by the caller.
*/
static
ns_ldap_return_code
getDirBaseDN(LDAP *ld, const char *domain_name, char **dir_base_dn)
{
struct timeval tv = {NS_DEFAULT_SEARCH_TIMEOUT, 0};
char *attrs[2], *DNlist, *rest, *ptr;
char filter[BUFSIZ], *a = NULL;
int ldap_rc;
LDAPMessage *resultMsg = NULL;
ns_ldap_return_code ret_code;
/* Get the whole list of naming contexts residing on the server */
attrs[0] = "namingcontexts";
attrs[1] = NULL;
ldap_rc = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, "(objectclass=*)",
attrs, 0, NULL, NULL, &tv, 0, &resultMsg);
switch (ldap_rc) {
/* If successful, the root DSE was found. */
case LDAP_SUCCESS:
break;
/*
* If the root DSE was not found, the server does
* not comply with the LDAP v3 protocol.
*/
default:
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
return (NS_LDAP_OP_FAILED);
break;
}
if ((ret_code = convert_to_door_line(ld,
resultMsg,
DONT_INCLUDE_ATTR_NAMES,
NOT_PROFILE,
&DNlist)) != NS_LDAP_SUCCESS) {
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
return (ret_code);
}
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
if (DNlist == NULL ||
(ptr = strtok_r(DNlist, DOORLINESEP, &rest)) == NULL) {
return (NS_LDAP_NOTFOUND);
}
attrs[0] = "dn";
do {
/*
* For each context try to find a NIS domain object
* which 'nisdomain' attribute's value matches the domain name
*/
(void) snprintf(filter,
BUFSIZ,
"(&(objectclass=nisDomainObject)"
"(nisdomain=%s))",
domain_name);
ldap_rc = ldap_search_ext_s(ld,
ptr,
LDAP_SCOPE_SUBTREE,
filter,
attrs,
0,
NULL,
NULL,
&tv,
0,
&resultMsg);
if (ldap_rc != LDAP_SUCCESS) {
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
continue;
}
if ((a = ldap_get_dn(ld, resultMsg)) != NULL) {
*dir_base_dn = strdup(a);
ldap_memfree(a);
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
if (!*dir_base_dn) {
free(DNlist);
return (NS_LDAP_MEMORY);
}
break;
}
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
} while (ptr = strtok_r(NULL, DOORLINESEP, &rest));
free(DNlist);
if (!*dir_base_dn) {
return (NS_LDAP_NOTFOUND);
}
return (NS_LDAP_SUCCESS);
}
/*
* This function parses the results of a search operation
* requesting a DUAProfile.
*
* INPUT:
* ld - a pointer to an LDAP structure used for the search operation,
* dir_base_dn - the name of a directory's base DN,
* profile_name - the name of a DUAProfile to be obtained.
*
* OUTPUT:
* a buffer containing the DUAProfile in the following format:
* [<attribute name>=]value [DOORLINESEP [<attribute name>=]value ]...]
* Should be free'ed by the caller.
*/
static
ns_ldap_return_code
getDUAProfile(LDAP *ld,
const char *dir_base_dn,
const char *profile_name,
char **profile)
{
char searchBaseDN[BUFSIZ], filter[BUFSIZ];
LDAPMessage *resultMsg = NULL;
struct timeval tv = {NS_DEFAULT_SEARCH_TIMEOUT, 0};
int ldap_rc;
ns_ldap_return_code ret_code;
(void) snprintf(searchBaseDN, BUFSIZ, "ou=profile,%s", dir_base_dn);
(void) snprintf(filter,
BUFSIZ,
_PROFILE_FILTER,
_PROFILE1_OBJECTCLASS,
_PROFILE2_OBJECTCLASS,
profile_name);
ldap_rc = ldap_search_ext_s(ld,
searchBaseDN,
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
&tv,
0,
&resultMsg);
switch (ldap_rc) {
/* If successful, the DUA profile was found. */
case LDAP_SUCCESS:
break;
/*
* If the root DSE was not found, the server does
* not comply with the LDAP v3 protocol.
*/
default:
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
return (NS_LDAP_OP_FAILED);
break;
}
ret_code = convert_to_door_line(ld,
resultMsg,
INCLUDE_ATTR_NAMES,
IS_PROFILE,
profile);
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
return (ret_code);
}
/*
* This function derives the directory's base DN from a provided domain name.
*
* INPUT:
* domain_name - the name of a domain to be converted into a base DN,
* buffer - contains the derived base DN,
* buf_len - the length of the buffer.
*
* OUTPUT:
* The function returns the address of the buffer or NULL.
*/
static
char *
domainname2baseDN(char *domain_name, char *buffer, uint16_t buf_len)
{
char *nextDC, *chr;
uint16_t i, length;
if (!domain_name || !buffer || buf_len == 0) {
return (NULL);
}
buffer[0] = '\0';
nextDC = chr = domain_name;
length = strlen(domain_name);
for (i = 0; i < length + 1; ++i, ++chr) {
/* Simply replace dots with "dc=" */
if (*chr != '.' && *chr != '\0') {
continue;
}
*chr = '\0';
if (strlcat(buffer, "dc=", buf_len) >= buf_len)
return (NULL);
if (strlcat(buffer, nextDC, buf_len) >= buf_len)
return (NULL);
if (i < length) {
/*
* The end of the domain name
* has not been reached yet
*/
if (strlcat(buffer, ",", buf_len) >= buf_len)
return (NULL);
nextDC = chr + 1;
*chr = '.';
}
}
return (buffer);
}
/*
* This function obtains the directory's base DN and a DUAProfile
* from a specified server.
*
* INPUT:
* server - a structure describing a server to connect to and
* a DUAProfile to be obtained from the server,
* cred - credentials to be used during establishing connections to
* the server.
*
* OUTPUT:
* dua_profile - a buffer containing the DUAProfile in the following format:
* [<attribute name>=]value [DOORLINESEP [<attribute name>=]value ]...]
* dir_base_dn - a buffer containing the base DN,
* errorp - an error object describing an error, if any.
*
* All the output data structures should be free'ed by the caller.
*/
ns_ldap_return_code
__ns_ldap_getConnectionInfoFromDUA(const ns_dir_server_t *server,
const ns_cred_t *cred,
char **dua_profile,
char **dir_base_dn,
ns_ldap_error_t **errorp)
{
char serverAddr[MAX_HOSTADDR_LEN];
char *dirBaseDN = NULL, *duaProfile = NULL;
ns_cred_t default_cred;
ns_ldap_return_code ret_code;
ns_config_t *config_struct = __s_api_create_config();
ConnectionID sessionId = 0;
Connection *session = NULL;
char errmsg[MAXERROR];
char buffer[NSS_BUFLEN_HOSTS];
ns_conn_user_t *cu = NULL;
if (errorp == NULL) {
__s_api_destroy_config(config_struct);
return (NS_LDAP_INVALID_PARAM);
}
*errorp = NULL;
if (server == NULL) {
__s_api_destroy_config(config_struct);
return (NS_LDAP_INVALID_PARAM);
}
if (config_struct == NULL) {
return (NS_LDAP_MEMORY);
}
/*
* If no credentials are specified, try to establish a connection
* as anonymous.
*/
if (!cred) {
default_cred.cred.unix_cred.passwd = NULL;
default_cred.cred.unix_cred.userID = NULL;
default_cred.auth.type = NS_LDAP_AUTH_NONE;
}
/* Now create a default LDAP configuration */
(void) strncpy(buffer, server->server, sizeof (buffer));
if (__ns_ldap_setParamValue(config_struct, NS_LDAP_SERVERS_P, buffer,
errorp) != NS_LDAP_SUCCESS) {
__s_api_destroy_config(config_struct);
return (NS_LDAP_CONFIG);
}
/* Put together the address and the port specified by the user app. */
if (server->port > 0) {
(void) snprintf(serverAddr,
sizeof (serverAddr),
"%s:%hu",
buffer,
server->port);
} else {
(void) strncpy(serverAddr, buffer, sizeof (serverAddr));
}
/*
* There is no default value for the 'Default Search Base DN' attribute.
* Derive one from the domain name to make __s_api_crosscheck() happy.
*/
if (domainname2baseDN(server->domainName ?
server->domainName : config_struct->domainName,
buffer, NSS_BUFLEN_HOSTS) == NULL) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Can not convert %s into a base DN name"),
server->domainName ?
server->domainName : config_struct->domainName);
MKERROR(LOG_ERR,
*errorp,
NS_LDAP_INTERNAL,
strdup(errmsg),
NS_LDAP_MEMORY);
__s_api_destroy_config(config_struct);
return (NS_LDAP_INTERNAL);
}
if (__ns_ldap_setParamValue(config_struct, NS_LDAP_SEARCH_BASEDN_P,
buffer, errorp) != NS_LDAP_SUCCESS) {
__s_api_destroy_config(config_struct);
return (NS_LDAP_CONFIG);
}
if (__s_api_crosscheck(config_struct, errmsg, B_FALSE) != NS_SUCCESS) {
__s_api_destroy_config(config_struct);
return (NS_LDAP_CONFIG);
}
__s_api_init_config(config_struct);
__s_api_setInitMode();
cu = __s_api_conn_user_init(NS_CONN_USER_SEARCH, NULL, B_FALSE);
if (cu == NULL) {
return (NS_LDAP_INTERNAL);
}
if ((ret_code = __s_api_getConnection(serverAddr,
NS_LDAP_NEW_CONN,
cred ? cred : &default_cred,
&sessionId,
&session,
errorp,
0,
0,
cu)) != NS_LDAP_SUCCESS) {
__s_api_conn_user_free(cu);
__s_api_unsetInitMode();
return (ret_code);
}
__s_api_unsetInitMode();
if ((ret_code = getDirBaseDN(session->ld,
server->domainName ?
server->domainName :
config_struct->domainName,
&dirBaseDN)) != NS_LDAP_SUCCESS) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Can not find the "
"nisDomainObject for domain %s\n"),
server->domainName ?
server->domainName : config_struct->domainName);
MKERROR(LOG_ERR,
*errorp,
ret_code,
strdup(errmsg),
NS_LDAP_MEMORY);
__s_api_conn_user_free(cu);
DropConnection(sessionId, NS_LDAP_NEW_CONN);
return (ret_code);
}
/*
* And here obtain a DUAProfile which will be used
* as a real configuration.
*/
if ((ret_code = getDUAProfile(session->ld,
dirBaseDN,
server->profileName ?
server->profileName : "default",
&duaProfile)) != NS_LDAP_SUCCESS) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Can not find the "
"%s DUAProfile\n"),
server->profileName ?
server->profileName : "default");
MKERROR(LOG_ERR,
*errorp,
ret_code,
strdup(errmsg),
NS_LDAP_MEMORY);
__s_api_conn_user_free(cu);
DropConnection(sessionId, NS_LDAP_NEW_CONN);
return (ret_code);
}
if (dir_base_dn) {
*dir_base_dn = dirBaseDN;
} else {
free(dirBaseDN);
}
if (dua_profile) {
*dua_profile = duaProfile;
} else {
free(duaProfile);
}
__s_api_conn_user_free(cu);
DropConnection(sessionId, NS_LDAP_NEW_CONN);
return (NS_LDAP_SUCCESS);
}
/*
* This function obtains the root DSE from a specified server.
*
* INPUT:
* server_addr - an adress of a server to be connected to.
*
* OUTPUT:
* root_dse - a buffer containing the root DSE in the following format:
* [<attribute name>=]value [DOORLINESEP [<attribute name>=]value ]...]
* For example: ( here | used as DOORLINESEP for visual purposes)
* supportedControl=1.1.1.1|supportedSASLmechanisms=EXTERNAL
* Should be free'ed by the caller.
*/
ns_ldap_return_code
__ns_ldap_getRootDSE(const char *server_addr,
char **root_dse,
ns_ldap_error_t **errorp,
int anon_fallback)
{
char errmsg[MAXERROR];
ns_ldap_return_code ret_code;
ConnectionID sessionId = 0;
Connection *session = NULL;
struct timeval tv = {NS_DEFAULT_SEARCH_TIMEOUT, 0};
char *attrs[3];
int ldap_rc, ldaperrno = 0;
LDAPMessage *resultMsg = NULL;
void **paramVal = NULL;
ns_cred_t anon;
ns_conn_user_t *cu = NULL;
if (errorp == NULL) {
return (NS_LDAP_INVALID_PARAM);
}
*errorp = NULL;
if (!root_dse) {
return (NS_LDAP_INVALID_PARAM);
}
if (!server_addr) {
return (NS_LDAP_INVALID_PARAM);
}
__s_api_setInitMode();
cu = __s_api_conn_user_init(NS_CONN_USER_SEARCH, NULL, B_FALSE);
if (cu == NULL) {
return (NS_LDAP_INTERNAL);
}
/*
* All the credentials will be taken from the current
* libsldap configuration.
*/
if ((ret_code = __s_api_getConnection(server_addr,
NS_LDAP_NEW_CONN,
NULL,
&sessionId,
&session,
errorp,
0,
0,
cu)) != NS_LDAP_SUCCESS) {
/* Fallback to anonymous mode is disabled. Stop. */
if (anon_fallback == 0) {
syslog(LOG_WARNING,
gettext("libsldap: can not get the root DSE from "
" the %s server: %s. "
"Falling back to anonymous disabled.\n"),
server_addr,
errorp && *errorp && (*errorp)->message ?
(*errorp)->message : "");
if (errorp != NULL && *errorp != NULL) {
(void) __ns_ldap_freeError(errorp);
}
__s_api_unsetInitMode();
return (ret_code);
}
/*
* Fallback to anonymous, non-SSL mode for backward
* compatibility reasons. This mode should only be used when
* this function (__ns_ldap_getRootDSE) is called from
* ldap_cachemgr(1M).
*/
syslog(LOG_WARNING,
gettext("libsldap: Falling back to anonymous, non-SSL"
" mode for __ns_ldap_getRootDSE. %s\n"),
errorp && *errorp && (*errorp)->message ?
(*errorp)->message : "");
/* Setup the anon credential for anonymous connection. */
(void) memset(&anon, 0, sizeof (ns_cred_t));
anon.auth.type = NS_LDAP_AUTH_NONE;
if (*errorp != NULL) {
(void) __ns_ldap_freeError(errorp);
}
*errorp = NULL;
ret_code = __s_api_getConnection(server_addr,
NS_LDAP_NEW_CONN,
&anon,
&sessionId,
&session,
errorp,
0,
0,
cu);
if (ret_code != NS_LDAP_SUCCESS) {
__s_api_conn_user_free(cu);
__s_api_unsetInitMode();
return (ret_code);
}
}
__s_api_unsetInitMode();
/* get search timeout value */
(void) __ns_ldap_getParam(NS_LDAP_SEARCH_TIME_P, ¶mVal, errorp);
if (paramVal != NULL && *paramVal != NULL) {
tv.tv_sec = **((int **)paramVal);
(void) __ns_ldap_freeParam(¶mVal);
}
if (*errorp != NULL) {
(void) __ns_ldap_freeError(errorp);
}
/* Get root DSE from the server specified by the caller. */
attrs[0] = "supportedControl";
attrs[1] = "supportedsaslmechanisms";
attrs[2] = NULL;
ldap_rc = ldap_search_ext_s(session->ld,
"",
LDAP_SCOPE_BASE,
"(objectclass=*)",
attrs,
0,
NULL,
NULL,
&tv,
0,
&resultMsg);
if (ldap_rc != LDAP_SUCCESS) {
/*
* If the root DSE was not found, the server does
* not comply with the LDAP v3 protocol.
*/
(void) ldap_get_option(session->ld,
LDAP_OPT_ERROR_NUMBER,
&ldaperrno);
(void) snprintf(errmsg,
sizeof (errmsg),
gettext(ldap_err2string(ldaperrno)));
MKERROR(LOG_ERR,
*errorp,
NS_LDAP_OP_FAILED,
strdup(errmsg),
NS_LDAP_MEMORY);
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
__s_api_conn_user_free(cu);
return (NS_LDAP_OP_FAILED);
}
__s_api_conn_user_free(cu);
ret_code = convert_to_door_line(session->ld,
resultMsg,
INCLUDE_ATTR_NAMES,
NOT_PROFILE,
root_dse);
if (ret_code == NS_LDAP_NOTFOUND) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("No root DSE data "
"for server %s returned."),
server_addr);
MKERROR(LOG_ERR,
*errorp,
NS_LDAP_NOTFOUND,
strdup(errmsg),
NS_LDAP_MEMORY);
}
if (resultMsg) {
(void) ldap_msgfree(resultMsg);
resultMsg = NULL;
}
DropConnection(sessionId, NS_LDAP_NEW_CONN);
return (ret_code);
}
/*
* This function destroys the local list of root DSEs. The input parameter is
* a pointer to the list to be erased.
* The type of the pointer passed to this function should be
* (dir_server_list_t *).
*/
static
void *
disposeOfOldList(void *param)
{
dir_server_list_t *old_list = (dir_server_list_t *)param;
long i = 0, j;
(void) rw_wrlock(&old_list->listDestroyLock);
/* Destroy the old list */
while (old_list->nsServers[i]) {
free(old_list->nsServers[i]->ip);
j = 0;
while (old_list->nsServers[i]->controls &&
old_list->nsServers[i]->controls[j]) {
free(old_list->nsServers[i]->controls[j]);
++j;
}
free(old_list->nsServers[i]->controls);
j = 0;
while (old_list->nsServers[i]->saslMech &&
old_list->nsServers[i]->saslMech[j]) {
free(old_list->nsServers[i]->saslMech[j]);
++j;
}
free(old_list->nsServers[i]->saslMech);
++i;
}
/*
* All the structures pointed by old_list->nsServers were allocated
* in one chunck. The nsServers[0] pointer points to the beginning
* of that chunck.
*/
free(old_list->nsServers[0]);
free(old_list->nsServers);
(void) rw_unlock(&old_list->listDestroyLock);
(void) rwlock_destroy(&old_list->listDestroyLock);
free(old_list);
return (NULL);
}
/*
* This function cancels the Standalone mode and destroys the list of root DSEs.
*/
void
__ns_ldap_cancelStandalone(void)
{
dir_server_list_t *old_list;
(void) mutex_lock(&dir_servers.listReplaceLock);
dir_servers.standalone = 0;
if (!dir_servers.list) {
(void) mutex_unlock(&dir_servers.listReplaceLock);
return;
}
old_list = dir_servers.list;
dir_servers.list = NULL;
(void) mutex_unlock(&dir_servers.listReplaceLock);
(void) disposeOfOldList(old_list);
}
static
void*
create_ns_servers_entry(void *param)
{
#define CHUNK_SIZE 16
dir_server_t *server = (dir_server_t *)param;
ns_ldap_return_code *retCode = calloc(1,
sizeof (ns_ldap_return_code));
uint32_t sc_counter = 0, sm_counter = 0;
uint32_t sc_mem_blocks = 1, sm_mem_blocks = 1;
char *rootDSE = NULL, *attr, *val, *rest, **ptr;
ns_ldap_error_t *error = NULL;
if (retCode == NULL) {
return (NULL);
}
/*
* We call this function in non anon-fallback mode because we
* want the whole procedure to fail as soon as possible to
* indicate there are problems with connecting to the server.
*/
*retCode = __ns_ldap_getRootDSE(server->ip,
&rootDSE,
&error,
SA_ALLOW_FALLBACK);
if (*retCode == NS_LDAP_MEMORY) {
free(retCode);
return (NULL);
}
/*
* If the root DSE can not be obtained, log an error and keep the
* server.
*/
if (*retCode != NS_LDAP_SUCCESS) {
server->status = INFO_SERVER_ERROR;
syslog(LOG_WARNING,
gettext("libsldap (\"standalone\" mode): "
"can not obtain the root DSE from %s. %s"),
server->ip,
error && error->message ? error->message : "");
if (error) {
(void) __ns_ldap_freeError(&error);
}
return (retCode);
}
/* Get the first attribute of the root DSE. */
attr = strtok_r(rootDSE, DOORLINESEP, &rest);
if (attr == NULL) {
free(rootDSE);
server->status = INFO_SERVER_ERROR;
syslog(LOG_WARNING,
gettext("libsldap (\"standalone\" mode): "
"the root DSE from %s is empty or corrupted."),
server->ip);
*retCode = NS_LDAP_INTERNAL;
return (retCode);
}
server->controls = (char **)calloc(CHUNK_SIZE, sizeof (char *));
server->saslMech = (char **)calloc(CHUNK_SIZE, sizeof (char *));
if (server->controls == NULL || server->saslMech == NULL) {
free(rootDSE);
free(retCode);
return (NULL);
}
do {
if ((val = strchr(attr, '=')) == NULL) {
continue;
}
++val;
if (strncasecmp(attr,
_SASLMECHANISM,
_SASLMECHANISM_LEN) == 0) {
if (sm_counter == CHUNK_SIZE * sm_mem_blocks - 1) {
ptr = (char **)realloc(server->saslMech,
CHUNK_SIZE *
++sm_mem_blocks *
sizeof (char *));
if (ptr == NULL) {
*retCode = NS_LDAP_MEMORY;
break;
}
bzero((char *)ptr +
(sm_counter + 1) *
sizeof (char *),
CHUNK_SIZE *
sm_mem_blocks *
sizeof (char *) -
(sm_counter + 1) *
sizeof (char *));
server->saslMech = ptr;
}
server->saslMech[sm_counter] = strdup(val);
if (server->saslMech[sm_counter] == NULL) {
*retCode = NS_LDAP_MEMORY;
break;
}
++sm_counter;
continue;
}
if (strncasecmp(attr,
_SUPPORTEDCONTROL,
_SUPPORTEDCONTROL_LEN) == 0) {
if (sc_counter == CHUNK_SIZE * sc_mem_blocks - 1) {
ptr = (char **)realloc(server->controls,
CHUNK_SIZE *
++sc_mem_blocks *
sizeof (char *));
if (ptr == NULL) {
*retCode = NS_LDAP_MEMORY;
break;
}
bzero((char *)ptr +
(sc_counter + 1) *
sizeof (char *),
CHUNK_SIZE *
sc_mem_blocks *
sizeof (char *) -
(sc_counter + 1) *
sizeof (char *));
server->controls = ptr;
}
server->controls[sc_counter] = strdup(val);
if (server->controls[sc_counter] == NULL) {
*retCode = NS_LDAP_MEMORY;
break;
}
++sc_counter;
continue;
}
} while (attr = strtok_r(NULL, DOORLINESEP, &rest));
free(rootDSE);
if (*retCode == NS_LDAP_MEMORY) {
free(retCode);
return (NULL);
}
server->controls[sc_counter] = NULL;
server->saslMech[sm_counter] = NULL;
server->status = INFO_SERVER_UP;
return (retCode);
#undef CHUNK_SIZE
}
/*
* This function creates a new local list of root DSEs from all the servers
* mentioned in the DUAProfile (or local NS BEC) and returns
* a pointer to the list.
*/
static
ns_ldap_return_code
createDirServerList(dir_server_list_t **new_list,
ns_ldap_error_t **errorp)
{
char **serverList;
ns_ldap_return_code retCode = NS_LDAP_SUCCESS;
dir_server_t *tmpSrvArray;
long srvListLength, i;
thread_t *thrPool, thrID;
void *status = NULL;
if (errorp == NULL) {
return (NS_LDAP_INVALID_PARAM);
}
*errorp = NULL;
if (new_list == NULL) {
return (NS_LDAP_INVALID_PARAM);
}
retCode = __s_api_getServers(&serverList, errorp);
if (retCode != NS_LDAP_SUCCESS || serverList == NULL) {
return (retCode);
}
for (i = 0; serverList[i]; ++i) {
;
}
srvListLength = i;
thrPool = calloc(srvListLength, sizeof (thread_t));
if (thrPool == NULL) {
__s_api_free2dArray(serverList);
return (NS_LDAP_MEMORY);
}
*new_list = (dir_server_list_t *)calloc(1,
sizeof (dir_server_list_t));
if (*new_list == NULL) {
__s_api_free2dArray(serverList);
free(thrPool);
return (NS_LDAP_MEMORY);
}
(void) rwlock_init(&(*new_list)->listDestroyLock, USYNC_THREAD, NULL);
(*new_list)->nsServers = (dir_server_t **)calloc(srvListLength + 1,
sizeof (dir_server_t *));
if ((*new_list)->nsServers == NULL) {
free(*new_list);
*new_list = NULL;
__s_api_free2dArray(serverList);
free(thrPool);
return (NS_LDAP_MEMORY);
}
/*
* Allocate a set of dir_server_t structures as an array,
* with one alloc call and then initialize the nsServers pointers
* with the addresses of the array's members.
*/
tmpSrvArray = (dir_server_t *)calloc(srvListLength,
sizeof (dir_server_t));
for (i = 0; i < srvListLength; ++i) {
(*new_list)->nsServers[i] = &tmpSrvArray[i];
(*new_list)->nsServers[i]->info = INFO_STATUS_NEW;
(void) mutex_init(&(*new_list)->nsServers[i]->updateStatus,
USYNC_THREAD,
NULL);
(*new_list)->nsServers[i]->ip = strdup(serverList[i]);
if ((*new_list)->nsServers[i]->ip == NULL) {
retCode = NS_LDAP_MEMORY;
break;
}
(*new_list)->nsServers[i]->status = INFO_SERVER_CONNECTING;
switch (thr_create(NULL,
0,
create_ns_servers_entry,
(*new_list)->nsServers[i],
0,
&thrID)) {
case EAGAIN:
(*new_list)->nsServers[i]->status =
INFO_SERVER_ERROR;
continue;
break;
case ENOMEM:
(*new_list)->nsServers[i]->status =
INFO_SERVER_ERROR;
continue;
break;
default:
thrPool[i] = thrID;
continue;
break;
}
}
for (i = 0; i < srvListLength; ++i) {
if (thrPool[i] != 0 &&
thr_join(thrPool[i], NULL, &status) == 0) {
if (status == NULL) {
/*
* Some memory allocation problems occured. Just
* ignore the server and hope there will be some
* other good ones.
*/
(*new_list)->nsServers[i]->status =
INFO_SERVER_ERROR;
}
free(status);
}
}
__s_api_free2dArray(serverList);
free(thrPool);
if (retCode == NS_LDAP_MEMORY) {
(void) disposeOfOldList(*new_list);
return (NS_LDAP_MEMORY);
}
return (NS_LDAP_SUCCESS);
}
/*
* This functions replaces the local list of root DSEs with a new one and starts
* a thread destroying the old list. There is no need for other threads to wait
* until the old list will be destroyed.
* Since it is possible that more than one thread can start creating the list,
* this function should be protected by mutexes to be sure that only one thread
* performs the initialization.
*/
static
ns_ldap_return_code
initGlobalList(ns_ldap_error_t **error)
{
dir_server_list_t *new_list, *old_list;
ns_ldap_return_code ret_code;
thread_t tid;
ret_code = createDirServerList(&new_list, error);
if (ret_code != NS_LDAP_SUCCESS) {
return (ret_code);
}
old_list = dir_servers.list;
dir_servers.list = new_list;
if (old_list) {
(void) thr_create(NULL,
0,
disposeOfOldList,
old_list,
THR_DETACHED,
&tid);
}
return (NS_LDAP_SUCCESS);
}
static
struct {
char *authMech;
ns_auth_t auth;
} authArray[] = {{"none", {NS_LDAP_AUTH_NONE,
NS_LDAP_TLS_NONE,
NS_LDAP_SASL_NONE,
NS_LDAP_SASLOPT_NONE}},
{"simple", {NS_LDAP_AUTH_SIMPLE,
NS_LDAP_TLS_NONE,
NS_LDAP_SASL_NONE,
NS_LDAP_SASLOPT_NONE}},
{"tls:simple", {NS_LDAP_AUTH_TLS,
NS_LDAP_TLS_SIMPLE,
NS_LDAP_SASL_NONE,
NS_LDAP_SASLOPT_NONE}},
{"tls:sasl/CRAM-MD5", {NS_LDAP_AUTH_TLS,
NS_LDAP_TLS_SASL,
NS_LDAP_SASL_CRAM_MD5,
NS_LDAP_SASLOPT_NONE}},
{"tls:sasl/DIGEST-MD5", {NS_LDAP_AUTH_TLS,
NS_LDAP_TLS_SASL,
NS_LDAP_SASL_DIGEST_MD5,
NS_LDAP_SASLOPT_NONE}},
{"sasl/CRAM-MD5", {NS_LDAP_AUTH_SASL,
NS_LDAP_TLS_SASL,
NS_LDAP_SASL_CRAM_MD5,
NS_LDAP_SASLOPT_NONE}},
{"sasl/DIGEST-MD5", {NS_LDAP_AUTH_SASL,
NS_LDAP_TLS_SASL,
NS_LDAP_SASL_DIGEST_MD5,
NS_LDAP_SASLOPT_NONE}},
{"sasl/GSSAPI", {NS_LDAP_AUTH_SASL,
NS_LDAP_TLS_SASL,
NS_LDAP_SASL_GSSAPI,
NS_LDAP_SASLOPT_PRIV | NS_LDAP_SASLOPT_INT}},
{NULL, {NS_LDAP_AUTH_NONE,
NS_LDAP_TLS_NONE,
NS_LDAP_SASL_NONE,
NS_LDAP_SASLOPT_NONE}}};
ns_ldap_return_code
__ns_ldap_initAuth(const char *auth_mech,
ns_auth_t *auth,
ns_ldap_error_t **errorp)
{
uint32_t i;
char errmsg[MAXERROR];
if (auth_mech == NULL) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Invalid authentication method specified\n"));
MKERROR(LOG_WARNING,
*errorp,
NS_LDAP_INTERNAL,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
for (i = 0; authArray[i].authMech != NULL; ++i) {
if (strcasecmp(auth_mech, authArray[i].authMech) == 0) {
*auth = authArray[i].auth;
return (NS_LDAP_SUCCESS);
}
}
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Invalid authentication method specified\n"));
MKERROR(LOG_WARNING,
*errorp,
NS_LDAP_INTERNAL,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
/*
* This function "informs" libsldap that a client application has specified
* a directory to use. The function obtains a DUAProfile, credentials,
* and naming context. During all further operations on behalf
* of the application requested a standalone schema libsldap will use
* the information obtained by __ns_ldap_initStandalone() instead of
* door_call(3C)ing ldap_cachemgr(1M).
*
* INPUT:
* sa_conf - a structure describing where and in which way to obtain all
* the configuration describing how to communicate to
* a choosen LDAP directory,
* errorp - an error object describing an error occured.
*/
ns_ldap_return_code
__ns_ldap_initStandalone(const ns_standalone_conf_t *sa_conf,
ns_ldap_error_t **errorp) {
ns_cred_t user_cred = {{NS_LDAP_AUTH_NONE,
NS_LDAP_TLS_NONE,
NS_LDAP_SASL_NONE,
NS_LDAP_SASLOPT_NONE},
NULL,
{NULL, NULL}};
char *dua_profile = NULL;
char errmsg[MAXERROR];
ns_config_t *cfg;
int ret_code;
if (sa_conf->SA_BIND_DN == NULL && sa_conf->SA_BIND_PWD != NULL ||
sa_conf->SA_BIND_DN != NULL && sa_conf->SA_BIND_PWD == NULL) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("Bind DN and bind password"
" must both be provided\n"));
MKERROR(LOG_ERR,
*errorp,
NS_CONFIG_NOTLOADED,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
switch (sa_conf->type) {
case NS_LDAP_SERVER:
if (sa_conf->SA_BIND_DN != NULL) {
user_cred.cred.unix_cred.userID = sa_conf->SA_BIND_DN;
user_cred.auth.type = NS_LDAP_AUTH_SIMPLE;
}
if (sa_conf->SA_BIND_PWD != NULL) {
user_cred.cred.unix_cred.passwd = sa_conf->SA_BIND_PWD;
}
if (sa_conf->SA_AUTH != NULL) {
user_cred.auth.type = sa_conf->SA_AUTH->type;
user_cred.auth.tlstype = sa_conf->SA_AUTH->tlstype;
user_cred.auth.saslmech = sa_conf->SA_AUTH->saslmech;
user_cred.auth.saslopt = sa_conf->SA_AUTH->saslopt;
}
if (sa_conf->SA_CERT_PATH != NULL) {
user_cred.hostcertpath = sa_conf->SA_CERT_PATH;
}
ret_code = __ns_ldap_getConnectionInfoFromDUA(
&sa_conf->ds_profile.server,
&user_cred,
&dua_profile,
NULL,
errorp);
if (ret_code != NS_LDAP_SUCCESS) {
return (ret_code);
}
cfg = __s_api_create_config_door_str(dua_profile, errorp);
if (cfg == NULL) {
free(dua_profile);
return (NS_LDAP_CONFIG);
}
if (sa_conf->SA_CERT_PATH != NULL) {
char *certPathAttr;
ParamIndexType type;
switch (cfg->version) {
case NS_LDAP_V1:
certPathAttr = "NS_LDAP_CERT_PATH";
break;
default: /* Version 2 */
certPathAttr = "NS_LDAP_HOST_CERTPATH";
break;
}
if (__s_api_get_versiontype(cfg,
certPathAttr,
&type) == 0 &&
(ret_code = __ns_ldap_setParamValue(cfg,
type,
sa_conf->SA_CERT_PATH,
errorp)) != NS_LDAP_SUCCESS) {
__s_api_destroy_config(cfg);
return (ret_code);
}
}
if (sa_conf->SA_BIND_DN != NULL &&
sa_conf->SA_BIND_PWD != NULL) {
char *authMethods;
authMethods = __s_api_strValue(cfg, NS_LDAP_AUTH_P,
NS_FILE_FMT);
if (authMethods != NULL &&
strstr(authMethods, "sasl/GSSAPI") != NULL) {
/*
* The received DUAProfile specifies
* sasl/GSSAPI as an auth. mechanism.
* The bind DN and password will be
* ignored.
*/
syslog(LOG_INFO, gettext("sasl/GSSAPI will be "
"used as an authentication method. "
"The bind DN and password will "
"be ignored.\n"));
free(authMethods);
break;
}
if (authMethods != NULL)
free(authMethods);
if (__ns_ldap_setParamValue(cfg,
NS_LDAP_BINDDN_P,
sa_conf->SA_BIND_DN,
errorp) != NS_LDAP_SUCCESS) {
__s_api_destroy_config(cfg);
return (NS_LDAP_CONFIG);
}
if (__ns_ldap_setParamValue(cfg,
NS_LDAP_BINDPASSWD_P,
sa_conf->SA_BIND_PWD,
errorp) != NS_LDAP_SUCCESS) {
__s_api_destroy_config(cfg);
return (NS_LDAP_CONFIG);
}
}
break;
default: /* NS_CACHEMGR */
return (NS_LDAP_SUCCESS);
}
__s_api_init_config(cfg);
/* Connection management should use the new config now. */
__s_api_reinit_conn_mgmt_new_config(cfg);
__ns_ldap_setServer(TRUE);
(void) mutex_lock(&dir_servers.listReplaceLock);
if ((ret_code = initGlobalList(errorp)) != NS_SUCCESS) {
(void) mutex_unlock(&dir_servers.listReplaceLock);
return (ret_code);
}
dir_servers.standalone = 1;
(void) mutex_unlock(&dir_servers.listReplaceLock);
return (NS_LDAP_SUCCESS);
}
/*
* INPUT:
* serverAddr is the address of a server and
* request is one of the following:
* NS_CACHE_NEW: get a new server address, addr is ignored.
* NS_CACHE_NORESP: get the next one, remove addr from list.
* NS_CACHE_NEXT: get the next one, keep addr on list.
* NS_CACHE_WRITE: get a non-replica server, if possible, if not, same
* as NS_CACHE_NEXT.
* addrType:
* NS_CACHE_ADDR_IP: return server address as is, this is default.
* NS_CACHE_ADDR_HOSTNAME: return server addess as FQDN format, only
* self credential case requires such format.
* OUTPUT:
* ret
*
* a structure of type ns_server_info_t containing the server address
* or name, server controls and supported SASL mechanisms.
* NOTE: Caller should allocate space for the structure and free
* all the space allocated by the function for the information contained
* in the structure.
*
* error - an error object describing an error, if any.
*/
ns_ldap_return_code
__s_api_findRootDSE(const char *request,
const char *serverAddr,
const char *addrType,
ns_server_info_t *ret,
ns_ldap_error_t **error)
{
dir_server_list_t *current_list = NULL;
ns_ldap_return_code ret_code;
long i = 0;
int matched = FALSE;
dir_server_t *server = NULL;
char errmsg[MAXERROR];
(void) mutex_lock(&dir_servers.listReplaceLock);
if (dir_servers.list == NULL) {
(void) mutex_unlock(&dir_servers.listReplaceLock);
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("The list of root DSEs is empty: "
"the Standalone mode was not properly initialized"));
MKERROR(LOG_ERR,
*error,
NS_CONFIG_NOTLOADED,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
current_list = dir_servers.list;
(void) rw_rdlock(¤t_list->listDestroyLock);
(void) mutex_unlock(&dir_servers.listReplaceLock);
/*
* The code below is mostly the clone of the
* ldap_cachemgr::cachemgr_getldap.c::getldap_get_serverInfo() function.
* Currently we have two different server lists: one is maintained
* by libsldap ('standalone' mode), the other is in ldap_cachemgr
* (a part of its standard functionality).
*/
/*
* If NS_CACHE_NEW, or the server info is new,
* starts from the beginning of the list.
*/
(void) mutex_lock(¤t_list->nsServers[0]->updateStatus);
if (strcmp(request, NS_CACHE_NEW) == 0 ||
current_list->nsServers[0]->info == INFO_STATUS_NEW) {
matched = TRUE;
}
(void) mutex_unlock(¤t_list->nsServers[i]->updateStatus);
for (i = 0; current_list->nsServers[i]; ++i) {
/*
* Lock the updateStatus mutex to
* make sure the server status stays the same
* while the data is being processed.
*/
if (matched == FALSE &&
strcmp(current_list->nsServers[i]->ip,
serverAddr) == 0) {
matched = TRUE;
if (strcmp(request, NS_CACHE_NORESP) == 0) {
/*
* if the server has already been removed,
* don't bother.
*/
(void) mutex_lock(¤t_list->
nsServers[i]->updateStatus);
if (current_list->nsServers[i]->status ==
INFO_SERVER_REMOVED) {
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
continue;
}
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
/*
* if the information is new,
* give this server one more chance.
*/
(void) mutex_lock(¤t_list->
nsServers[i]->
updateStatus);
if (current_list->nsServers[i]->info ==
INFO_STATUS_NEW &&
current_list->nsServers[i]->status ==
INFO_SERVER_UP) {
server = current_list->nsServers[i];
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
break;
} else {
/*
* it is recommended that
* before removing the
* server from the list,
* the server should be
* contacted one more time
* to make sure that it is
* really unavailable.
* For now, just trust the client
* (i.e., the sldap library)
* that it knows what it is
* doing and would not try
* to mess up the server
* list.
*/
current_list->nsServers[i]->status =
INFO_SERVER_REMOVED;
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
continue;
}
} else {
/*
* req == NS_CACHE_NEXT or NS_CACHE_WRITE
*/
continue;
}
}
if (matched) {
if (strcmp(request, NS_CACHE_WRITE) == 0) {
/*
* ldap_cachemgr checks here if the server
* is not a non-replica server (a server
* of type INFO_RW_WRITEABLE). But currently
* it considers all the servers in its list
* as those.
*/
(void) mutex_lock(¤t_list->
nsServers[i]->
updateStatus);
if (current_list->nsServers[i]->status ==
INFO_SERVER_UP) {
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
server = current_list->nsServers[i];
break;
}
} else {
(void) mutex_lock(¤t_list->
nsServers[i]->
updateStatus);
if (current_list->nsServers[i]->status ==
INFO_SERVER_UP) {
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
server = current_list->nsServers[i];
break;
}
}
(void) mutex_unlock(¤t_list->
nsServers[i]->
updateStatus);
}
}
if (server == NULL) {
(void) rw_unlock(¤t_list->listDestroyLock);
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("No servers are available"));
MKERROR(LOG_ERR,
*error,
NS_CONFIG_NOTLOADED,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_NOTFOUND);
}
(void) mutex_lock(&server->updateStatus);
server->info = INFO_STATUS_OLD;
(void) mutex_unlock(&server->updateStatus);
if (ret == NULL) {
(void) rw_unlock(¤t_list->listDestroyLock);
return (NS_LDAP_SUCCESS);
}
if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) {
ret_code = __s_api_ip2hostname(server->ip, &ret->serverFQDN);
if (ret_code != NS_LDAP_SUCCESS) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("The %s address "
"can not be resolved into "
"a host name. Returning "
"the address as it is."),
server->ip);
MKERROR(LOG_ERR,
*error,
NS_CONFIG_NOTLOADED,
strdup(errmsg),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
}
ret->server = strdup(server->ip);
ret->controls = __s_api_cp2dArray(server->controls);
ret->saslMechanisms = __s_api_cp2dArray(server->saslMech);
(void) rw_unlock(¤t_list->listDestroyLock);
return (NS_LDAP_SUCCESS);
}
/*
* This function iterates through the list of the configured LDAP servers
* and "pings" those which are marked as removed or if any error occurred
* during the previous receiving of the server's root DSE. If the
* function is able to reach such a server and get its root DSE, it
* marks the server as on-line. Otherwise, the server's status is set
* to "Error".
* For each server the function tries to connect to, it fires up
* a separate thread and then waits until all the treads finish.
* The function returns NS_LDAP_INTERNAL if the Standalone mode was not
* initialized or was canceled prior to an invocation of
* __ns_ldap_pingOfflineServers().
*/
ns_ldap_return_code
__ns_ldap_pingOfflineServers(void)
{
dir_server_list_t *current_list = NULL;
ns_ldap_return_code retCode = NS_LDAP_SUCCESS;
long srvListLength, i = 0;
thread_t *thrPool, thrID;
void *status = NULL;
(void) mutex_lock(&dir_servers.listReplaceLock);
if (dir_servers.list == NULL) {
(void) mutex_unlock(&dir_servers.listReplaceLock);
return (NS_LDAP_INTERNAL);
}
current_list = dir_servers.list;
(void) rw_wrlock(¤t_list->listDestroyLock);
(void) mutex_unlock(&dir_servers.listReplaceLock);
while (current_list->nsServers[i] != NULL) {
++i;
}
srvListLength = i;
thrPool = calloc(srvListLength, sizeof (thread_t));
if (thrPool == NULL) {
(void) rw_unlock(¤t_list->listDestroyLock);
return (NS_LDAP_MEMORY);
}
for (i = 0; i < srvListLength; ++i) {
if (current_list->nsServers[i]->status != INFO_SERVER_REMOVED &&
current_list->nsServers[i]->status != INFO_SERVER_ERROR) {
continue;
}
current_list->nsServers[i]->status = INFO_SERVER_CONNECTING;
current_list->nsServers[i]->info = INFO_STATUS_NEW;
__s_api_free2dArray(current_list->nsServers[i]->controls);
current_list->nsServers[i]->controls = NULL;
__s_api_free2dArray(current_list->nsServers[i]->saslMech);
current_list->nsServers[i]->saslMech = NULL;
switch (thr_create(NULL,
0,
create_ns_servers_entry,
current_list->nsServers[i],
0,
&thrID)) {
case EAGAIN:
current_list->nsServers[i]->status = INFO_SERVER_ERROR;
continue;
break;
case ENOMEM:
current_list->nsServers[i]->status = INFO_SERVER_ERROR;
retCode = NS_LDAP_MEMORY;
break;
default:
thrPool[i] = thrID;
continue;
break;
}
/* A memory allocation error has occured */
break;
}
for (i = 0; i < srvListLength; ++i) {
if (thrPool[i] != 0 &&
thr_join(thrPool[i], NULL, &status) == 0) {
if (status == NULL) {
current_list->nsServers[i]->status =
INFO_SERVER_ERROR;
retCode = NS_LDAP_MEMORY;
}
free(status);
}
}
(void) rw_unlock(¤t_list->listDestroyLock);
free(thrPool);
return (retCode);
}