*** check_ads_wks_ldap.c Wed Feb 25 10:32:51 2004 --- squid_ldap_auth.c Thu Mar 25 15:03:51 2004 *************** *** 72,79 **** #include #include #include - #include - #include #include "util.h" --- 72,77 ---- *************** *** 100,106 **** static int use_tls = 0; static int version = -1; ! static int checkLDAP(LDAP * ld, const char *userid); static int readSecret(const char *filename); /* Yuck.. we need to glue to different versions of the API */ --- 98,104 ---- static int use_tls = 0; static int version = -1; ! static int checkLDAP(LDAP * ld, const char *userid, const char *password); static int readSecret(const char *filename); /* Yuck.. we need to glue to different versions of the API */ *************** *** 192,198 **** main(int argc, char **argv) { char buf[256]; ! char *ip_addr; char *ldapServer = NULL; LDAP *ld = NULL; int tryagain; --- 190,196 ---- main(int argc, char **argv) { char buf[256]; ! char *user, *passwd; char *ldapServer = NULL; LDAP *ld = NULL; int tryagain; *************** *** 388,415 **** exit(1); } while (fgets(buf, 256, stdin) != NULL) { ! // ! // Read IP-address from stdin ! // ! ip_addr = strtok(buf, " \r\n"); ! if (!ip_addr) { printf("ERR\n"); continue; } ! ! // ! // Translate the IP-address into a hostname ! // ! struct hostent *hp = NULL; ! struct in_addr addr; ! ! addr.s_addr = inet_addr(ip_addr); ! if ( (hp = gethostbyaddr((char *) &addr, 4, AF_INET)) == NULL) { ! printf("ERR\n"); ! continue; ! } ! tryagain = 1; recover: if (ld == NULL) { --- 386,400 ---- exit(1); } while (fgets(buf, 256, stdin) != NULL) { ! user = strtok(buf, " \r\n"); ! passwd = strtok(NULL, "\r\n"); ! if (!user || !passwd || !passwd[0]) { printf("ERR\n"); continue; } ! rfc1738_unescape(user); ! rfc1738_unescape(passwd); tryagain = 1; recover: if (ld == NULL) { *************** *** 469,475 **** squid_ldap_set_referrals(ld, !noreferrals); squid_ldap_set_aliasderef(ld, aliasderef); } ! if (checkLDAP(ld, hp->h_name) != 0) { if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) { tryagain = 0; ldap_unbind(ld); --- 454,460 ---- squid_ldap_set_referrals(ld, !noreferrals); squid_ldap_set_aliasderef(ld, aliasderef); } ! if (checkLDAP(ld, user, passwd) != 0) { if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) { tryagain = 0; ldap_unbind(ld); *************** *** 491,500 **** } static int ! checkLDAP(LDAP * ld, const char *userid) { char dn[256]; if (searchfilter) { char filter[256]; LDAPMessage *res = NULL; --- 476,491 ---- } static int ! checkLDAP(LDAP * ld, const char *userid, const char *password) { char dn[256]; + if (!*password) { + /* LDAP can't bind with a blank password. Seen as "anonymous" + * and always granted access + */ + return 1; + } if (searchfilter) { char filter[256]; LDAPMessage *res = NULL; *************** *** 512,520 **** } } snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid); - printf("FRANK 1: %s\n", ldap_err2string(rc)); rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res); - printf("FRANK 2: %s\n", ldap_err2string(rc)); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { /* Everything is fine. This is expected when referrals --- 503,509 ---- *************** *** 550,555 **** --- 539,547 ---- snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); } + if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS) + return 1; + return 0; }