summaryrefslogtreecommitdiff
path: root/network/openvpn-auth-ldap/auth-ldap.patch
diff options
context:
space:
mode:
Diffstat (limited to 'network/openvpn-auth-ldap/auth-ldap.patch')
-rw-r--r--network/openvpn-auth-ldap/auth-ldap.patch349
1 files changed, 349 insertions, 0 deletions
diff --git a/network/openvpn-auth-ldap/auth-ldap.patch b/network/openvpn-auth-ldap/auth-ldap.patch
new file mode 100644
index 0000000000..e1cb9e055a
--- /dev/null
+++ b/network/openvpn-auth-ldap/auth-ldap.patch
@@ -0,0 +1,349 @@
+diff -crB auth-ldap-2.0.3/auth-ldap.conf auth-ldap-2.0.3-patched/auth-ldap.conf
+*** auth-ldap-2.0.3/auth-ldap.conf 2007-01-22 12:50:42.000000000 -0600
+--- auth-ldap-2.0.3-patched/auth-ldap.conf 2010-06-29 10:58:40.916276380 -0500
+***************
+*** 47,52 ****
+--- 47,55 ----
+ #PFTable ips_vpn_users
+
+ <Group>
++ # Match full user DN if true, uid only if false
++ RFC2307bis true
++
+ BaseDN "ou=Groups,dc=example,dc=com"
+ SearchFilter "(|(cn=developers)(cn=artists))"
+ MemberAttribute uniqueMember
+diff -crB auth-ldap-2.0.3/src/LFAuthLDAPConfig.m auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m
+*** auth-ldap-2.0.3/src/LFAuthLDAPConfig.m 2007-01-22 12:50:42.000000000 -0600
+--- auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m 2010-06-29 10:58:40.916276380 -0500
+***************
+*** 79,84 ****
+--- 79,85 ----
+
+ /* Group Section Variables */
+ LF_GROUP_MEMBER_ATTRIBUTE, /* Group Membership Attribute */
++ LF_GROUP_MEMBER_RFC2307BIS, /* Look for full DN for user in attribute */
+
+ /* Misc Shared */
+ LF_UNKNOWN_OPCODE, /* Unknown Opcode */
+***************
+*** 146,151 ****
+--- 147,153 ----
+ static OpcodeTable GroupSectionVariables[] = {
+ /* name opcode multi required */
+ { "MemberAttribute", LF_GROUP_MEMBER_ATTRIBUTE, NO, NO },
++ { "RFC2307bis", LF_GROUP_MEMBER_RFC2307BIS, NO, NO },
+ { NULL, 0 }
+ };
+
+***************
+*** 696,707 ****
+--- 698,719 ----
+
+ switch(opcodeEntry->opcode) {
+ TRLDAPGroupConfig *config;
++ BOOL memberRFC2307BIS;
+
+ case LF_GROUP_MEMBER_ATTRIBUTE:
+ config = [self currentSectionContext];
+ [config setMemberAttribute: [value string]];
+ break;
+
++ case LF_GROUP_MEMBER_RFC2307BIS:
++ config = [self currentSectionContext];
++ if (![value boolValue: &memberRFC2307BIS]) {
++ [self errorBoolValue: value];
++ return;
++ }
++ [config setMemberRFC2307BIS: memberRFC2307BIS];
++ break;
++
+ case LF_LDAP_BASEDN:
+ config = [self currentSectionContext];
+ [config setBaseDN: [value string]];
+diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.h auth-ldap-2.0.3-patched/src/LFLDAPConnection.h
+*** auth-ldap-2.0.3/src/LFLDAPConnection.h 2007-01-22 12:50:42.000000000 -0600
+--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.h 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 56,61 ****
+--- 56,62 ----
+ baseDN: (LFString *) base
+ attributes: (TRArray *) attributes;
+ - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
++ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
+
+ - (BOOL) setReferralEnabled: (BOOL) enabled;
+ - (BOOL) setTLSCACertFile: (LFString *) fileName;
+diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.m auth-ldap-2.0.3-patched/src/LFLDAPConnection.m
+*** auth-ldap-2.0.3/src/LFLDAPConnection.m 2007-03-22 15:09:51.000000000 -0500
+--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.m 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 405,410 ****
+--- 405,454 ----
+ return NO;
+ }
+
++ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value {
++ struct timeval timeout;
++ LDAPMessage *res;
++ struct berval bval;
++ int err;
++ int msgid;
++
++ /* Set up the ber structure for our value */
++ bval.bv_val = (char *) [value cString];
++ bval.bv_len = [value length] - 1; /* Length includes NULL terminator */
++
++ /* Set up the timeout */
++ timeout.tv_sec = _timeout;
++ timeout.tv_usec = 0;
++
++ /* Perform the compare */
++ if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) {
++ [TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)];
++ return NO;
++ }
++
++ /* Wait for the result */
++ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
++ err = ldap_get_errno(ldapConn);
++ if (err == LDAP_TIMEOUT)
++ ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
++
++ [TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)];
++ return NO;
++ }
++
++ /* Check the result */
++ if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) {
++ /* Parsing failed */
++ return NO;
++ }
++ if (err == LDAP_COMPARE_TRUE)
++ return YES;
++ else
++ return NO;
++
++ return NO;
++ }
++
+
+ - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn {
+ int err;
+diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.h auth-ldap-2.0.3-patched/src/TRLDAPEntry.h
+*** auth-ldap-2.0.3/src/TRLDAPEntry.h 2006-07-25 18:55:47.000000000 -0500
+--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.h 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 40,50 ****
+--- 40,53 ----
+
+ @interface TRLDAPEntry : TRObject {
+ LFString *_dn;
++ LFString *_rdn;
+ TRHash *_attributes;
+ }
+
+ - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes;
+ - (LFString *) dn;
++ - (LFString *) rdn;
++ - (void) setRDN: (LFString *) rdn;
+ - (TRHash *) attributes;
+
+ @end
+diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.m auth-ldap-2.0.3-patched/src/TRLDAPEntry.m
+*** auth-ldap-2.0.3/src/TRLDAPEntry.m 2006-07-25 18:55:47.000000000 -0500
+--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.m 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 42,47 ****
+--- 42,48 ----
+ return self;
+
+ _dn = [dn retain];
++ _rdn = nil;
+ _attributes = [attributes retain];
+
+ return self;
+***************
+*** 49,54 ****
+--- 50,56 ----
+
+ - (void) dealloc {
+ [_dn release];
++ [_rdn release];
+ [_attributes release];
+ [super dealloc];
+ }
+***************
+*** 57,62 ****
+--- 59,72 ----
+ return _dn;
+ }
+
++ - (LFString *) rdn {
++ return _rdn;
++ }
++
++ - (void) setRDN: (LFString *) rdn {
++ _rdn=rdn;
++ }
++
+ - (TRHash *) attributes {
+ return _attributes;
+ }
+diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.h auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h
+*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.h 2006-07-30 15:19:54.000000000 -0500
+--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 42,47 ****
+--- 42,48 ----
+ LFString *_baseDN;
+ LFString *_searchFilter;
+ LFString *_memberAttribute;
++ BOOL _memberRFC2307BIS;
+ LFString *_pfTable;
+ }
+
+***************
+*** 54,59 ****
+--- 55,63 ----
+ - (LFString *) memberAttribute;
+ - (void) setMemberAttribute: (LFString *) memberAttribute;
+
++ - (BOOL) memberRFC2307BIS;
++ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS;
++
+ - (LFString *) pfTable;
+ - (void) setPFTable: (LFString *) tableName;
+
+diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.m auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m
+*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.m 2006-07-30 15:19:54.000000000 -0500
+--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m 2010-06-29 10:58:40.920285882 -0500
+***************
+*** 81,86 ****
+--- 81,94 ----
+ _memberAttribute = [memberAttribute retain];
+ }
+
++ - (BOOL) memberRFC2307BIS {
++ return (_memberRFC2307BIS);
++ }
++
++ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS {
++ _memberRFC2307BIS = memberRFC2307BIS;
++ }
++
+ - (void) setPFTable: (LFString *) tableName {
+ if (_pfTable)
+ [_pfTable release];
+diff -crB auth-ldap-2.0.3/src/auth-ldap.m auth-ldap-2.0.3-patched/src/auth-ldap.m
+*** auth-ldap-2.0.3/src/auth-ldap.m 2007-01-22 12:50:42.000000000 -0600
+--- auth-ldap-2.0.3-patched/src/auth-ldap.m 2010-06-29 11:02:14.680387830 -0500
+***************
+*** 307,320 ****
+ goto error;
+ }
+
+- /* Bind if requested */
+- if ([config bindDN]) {
+- if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) {
+- [TRLog error: "Unable to bind as %s", [[config bindDN] cString]];
+- goto error;
+- }
+- }
+-
+ /* Certificate file */
+ if ((value = [config tlsCACertFile]))
+ if (![ldap setTLSCACertFile: value])
+--- 307,312 ----
+***************
+*** 340,345 ****
+--- 332,345 ----
+ if (![ldap startTLS])
+ goto error;
+
++ /* Bind if requested */
++ if ([config bindDN]) {
++ if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) {
++ [TRLog error: "Unable to bind as %s", [[config bindDN] cString]];
++ goto error;
++ }
++ }
++
+ return ldap;
+
+ error:
+***************
+*** 409,414 ****
+--- 409,415 ----
+ TREnumerator *entryIter;
+ TRLDAPEntry *entry;
+ TRLDAPGroupConfig *result = nil;
++ int userNameLength;
+
+ /*
+ * Groups are loaded into the array in the order that they are listed
+***************
+*** 426,440 ****
+ /* Error occured, all stop */
+ if (!ldapEntries)
+ break;
+!
+! /* Iterate over the returned entries */
+! entryIter = [ldapEntries objectEnumerator];
+! while ((entry = [entryIter nextObject]) != nil) {
+! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
+! /* Group match! */
+! result = groupConfig;
+ }
+ }
+ [entryIter release];
+ [ldapEntries release];
+ if (result)
+--- 427,453 ----
+ /* Error occured, all stop */
+ if (!ldapEntries)
+ break;
+! if ([groupConfig memberRFC2307BIS]) {
+! /* Iterate over the returned entries */
+! entryIter = [ldapEntries objectEnumerator];
+!
+! while ((entry = [entryIter nextObject]) != nil) {
+! if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
+! /* Group match! */
+! result = groupConfig;
+! }
+! }
+! } else {
+! /* Iterate over the returned entries */
+! entryIter = [ldapEntries objectEnumerator];
+! while ((entry = [entryIter nextObject]) != nil) {
+! if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) {
+! /* Group match! */
+! result = groupConfig;
+! }
+ }
+ }
++
+ [entryIter release];
+ [ldapEntries release];
+ if (result)
+***************
+*** 551,556 ****
+--- 564,570 ----
+ int ret = OPENVPN_PLUGIN_FUNC_ERROR;
+
+ username = get_env("username", envp);
++ LFString *userName=[[LFString alloc]initWithCString: username];
+ password = get_env("password", envp);
+ remoteAddress = get_env("ifconfig_pool_remote_ip", envp);
+
+***************
+*** 568,573 ****
+--- 582,588 ----
+
+ /* Find the user record */
+ ldapUser = find_ldap_user(ldap, ctx->config, username);
++ [ldapUser setRDN: userName];
+ if (!ldapUser) {
+ /* No such user. */
+ [TRLog warning: "LDAP user \"%s\" was not found.", username];