xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/lastbind/lastbind.c (revision 549b59ed3ccf0d36d3097190a0db27b770f3a839)
1 /*	$NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $	*/
2 
3 /* lastbind.c - Record timestamp of the last successful bind to entries */
4 /* $OpenLDAP$ */
5 /*
6  * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted only as authorized by the OpenLDAP
11  * Public License.
12  *
13  * A copy of this license is available in the file LICENSE in the
14  * top-level directory of the distribution or, alternatively, at
15  * <http://www.OpenLDAP.org/license.html>.
16  */
17 /* ACKNOWLEDGEMENTS:
18  * This work is loosely derived from the ppolicy overlay.
19  */
20 
21 #include <sys/cdefs.h>
22 __RCSID("$NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $");
23 
24 #include "portable.h"
25 
26 /*
27  * This file implements an overlay that stores the timestamp of the
28  * last successful bind operation in a directory entry.
29  *
30  * Optimization: to avoid performing a write on each bind,
31  * a precision for this timestamp may be configured, causing it to
32  * only be updated if it is older than a given number of seconds.
33  */
34 
35 #ifdef SLAPD_OVER_LASTBIND
36 
37 #include <ldap.h>
38 #include "lutil.h"
39 #include "slap.h"
40 #include <ac/errno.h>
41 #include <ac/time.h>
42 #include <ac/string.h>
43 #include <ac/ctype.h>
44 #include "slap-config.h"
45 
46 /* Per-instance configuration information */
47 typedef struct lastbind_info {
48 	/* precision to update timestamp in authTimestamp attribute */
49 	int timestamp_precision;
50 	int forward_updates;	/* use frontend for authTimestamp updates */
51 } lastbind_info;
52 
53 /* Operational attributes */
54 static AttributeDescription *ad_authTimestamp;
55 
56 /* This is the definition used by ISODE, as supplied to us in
57  * ITS#6238 Followup #9
58  */
59 static struct schema_info {
60 	char *def;
61 	AttributeDescription **ad;
62 } lastBind_OpSchema[] = {
63 	{	"( 1.3.6.1.4.1.453.16.2.188 "
64 		"NAME 'authTimestamp' "
65 		"DESC 'last successful authentication using any method/mech' "
66 		"EQUALITY generalizedTimeMatch "
67 		"ORDERING generalizedTimeOrderingMatch "
68 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
69 		"SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
70 		&ad_authTimestamp},
71 	{ NULL, NULL }
72 };
73 
74 /* configuration attribute and objectclass */
75 static ConfigTable lastbindcfg[] = {
76 	{ "lastbind-precision", "seconds", 2, 2, 0,
77 	  ARG_INT|ARG_OFFSET,
78 	  (void *)offsetof(lastbind_info, timestamp_precision),
79 	  "( OLcfgCtAt:5.1 "
80 	  "NAME 'olcLastBindPrecision' "
81 	  "DESC 'Precision of authTimestamp attribute' "
82 	  "EQUALITY integerMatch "
83 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
84 	{ "lastbind_forward_updates", "on|off", 1, 2, 0,
85 	  ARG_ON_OFF|ARG_OFFSET,
86 	  (void *)offsetof(lastbind_info,forward_updates),
87 	  "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' "
88 	  "DESC 'Allow authTimestamp updates to be forwarded via updateref' "
89 	  "EQUALITY booleanMatch "
90 	  "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
91 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
92 };
93 
94 static ConfigOCs lastbindocs[] = {
95 	{ "( OLcfgCtOc:5.1 "
96 	  "NAME 'olcLastBindConfig' "
97 	  "DESC 'Last Bind configuration' "
98 	  "SUP olcOverlayConfig "
99 	  "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
100 	  Cft_Overlay, lastbindcfg, NULL, NULL },
101 	{ NULL, 0, NULL }
102 };
103 
104 static time_t
parse_time(char * atm)105 parse_time( char *atm )
106 {
107 	struct lutil_tm tm;
108 	struct lutil_timet tt;
109 	time_t ret = (time_t)-1;
110 
111 	if ( lutil_parsetime( atm, &tm ) == 0) {
112 		lutil_tm2time( &tm, &tt );
113 		ret = tt.tt_sec;
114 	}
115 	return ret;
116 }
117 
118 static int
lastbind_bind_response(Operation * op,SlapReply * rs)119 lastbind_bind_response( Operation *op, SlapReply *rs )
120 {
121 	Modifications *mod = NULL;
122 	BackendInfo *bi = op->o_bd->bd_info;
123 	Entry *e;
124 	int rc;
125 
126 	/* we're only interested if the bind was successful */
127 	if ( rs->sr_err != LDAP_SUCCESS )
128 		return SLAP_CB_CONTINUE;
129 
130 	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
131 	op->o_bd->bd_info = bi;
132 
133 	if ( rc != LDAP_SUCCESS ) {
134 		return SLAP_CB_CONTINUE;
135 	}
136 
137 	{
138 		lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
139 
140 		time_t now, bindtime = (time_t)-1;
141 		Attribute *a;
142 		Modifications *m;
143 		char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
144 		struct berval timestamp;
145 
146 		/* get the current time */
147 		now = slap_get_time();
148 
149 		/* get authTimestamp attribute, if it exists */
150 		if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
151 			bindtime = parse_time( a->a_nvals[0].bv_val );
152 
153 			if (bindtime != (time_t)-1) {
154 				/* if the recorded bind time is within our precision, we're done
155 				 * it doesn't need to be updated (save a write for nothing) */
156 				if ((now - bindtime) < lbi->timestamp_precision) {
157 					goto done;
158 				}
159 			}
160 		}
161 
162 		/* update the authTimestamp in the user's entry with the current time */
163 		timestamp.bv_val = nowstr;
164 		timestamp.bv_len = sizeof(nowstr);
165 		slap_timestamp( &now, &timestamp );
166 
167 		m = ch_calloc( sizeof(Modifications), 1 );
168 		m->sml_op = LDAP_MOD_REPLACE;
169 		m->sml_flags = 0;
170 		m->sml_type = ad_authTimestamp->ad_cname;
171 		m->sml_desc = ad_authTimestamp;
172 		m->sml_numvals = 1;
173 		m->sml_values = ch_calloc( sizeof(struct berval), 2 );
174 		m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
175 
176 		ber_dupbv( &m->sml_values[0], &timestamp );
177 		ber_dupbv( &m->sml_nvalues[0], &timestamp );
178 		m->sml_next = mod;
179 		mod = m;
180 	}
181 
182 done:
183 	be_entry_release_r( op, e );
184 
185 	/* perform the update, if necessary */
186 	if ( mod ) {
187 		Operation op2 = *op;
188 		SlapReply r2 = { REP_RESULT };
189 		slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
190 		LDAPControl c, *ca[2];
191 		lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
192 
193 		/* This is a DSA-specific opattr, it never gets replicated. */
194 		op2.o_tag = LDAP_REQ_MODIFY;
195 		op2.o_callback = &cb;
196 		op2.orm_modlist = mod;
197 		op2.orm_no_opattrs = 0;
198 		op2.o_dn = op->o_bd->be_rootdn;
199 		op2.o_ndn = op->o_bd->be_rootndn;
200 
201 		/*
202 		 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
203 		 *
204 		 * If this server is a shadow and forward_updates is true,
205 		 * use the frontend to perform this modify. That will trigger
206 		 * the update referral, which can then be forwarded by the
207 		 * chain overlay. Obviously the updateref and chain overlay
208 		 * must be configured appropriately for this to be useful.
209 		 */
210 		if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) {
211 			op2.o_bd = frontendDB;
212 
213 			/* Must use Relax control since these are no-user-mod */
214 			op2.o_relax = SLAP_CONTROL_CRITICAL;
215 			op2.o_ctrls = ca;
216 			ca[0] = &c;
217 			ca[1] = NULL;
218 			BER_BVZERO( &c.ldctl_value );
219 			c.ldctl_iscritical = 1;
220 			c.ldctl_oid = LDAP_CONTROL_RELAX;
221 		} else {
222 			/* If not forwarding, don't update opattrs and don't replicate */
223 			if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
224 				op2.orm_no_opattrs = 1;
225 				op2.o_dont_replicate = 1;
226 			}
227 			/* TODO: not sure what this does in slapo-ppolicy */
228 			/*
229 			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
230 			*/
231 		}
232 
233 		rc = op2.o_bd->be_modify( &op2, &r2 );
234 		slap_mods_free( mod, 1 );
235 	}
236 
237 	op->o_bd->bd_info = bi;
238 	return SLAP_CB_CONTINUE;
239 }
240 
241 static int
lastbind_bind(Operation * op,SlapReply * rs)242 lastbind_bind( Operation *op, SlapReply *rs )
243 {
244 	slap_callback *cb;
245 	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
246 
247 	/* setup a callback to intercept result of this bind operation
248 	 * and pass along the lastbind_info struct */
249 	cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
250 	cb->sc_response = lastbind_bind_response;
251 	cb->sc_next = op->o_callback->sc_next;
252 	cb->sc_private = on->on_bi.bi_private;
253 	op->o_callback->sc_next = cb;
254 
255 	return SLAP_CB_CONTINUE;
256 }
257 
258 static int
lastbind_db_init(BackendDB * be,ConfigReply * cr)259 lastbind_db_init(
260 	BackendDB *be,
261 	ConfigReply *cr
262 )
263 {
264 	slap_overinst *on = (slap_overinst *) be->bd_info;
265 
266 	/* initialize private structure to store configuration */
267 	on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
268 
269 	return 0;
270 }
271 
272 static int
lastbind_db_close(BackendDB * be,ConfigReply * cr)273 lastbind_db_close(
274 	BackendDB *be,
275 	ConfigReply *cr
276 )
277 {
278 	slap_overinst *on = (slap_overinst *) be->bd_info;
279 	lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
280 
281 	/* free private structure to store configuration */
282 	free( lbi );
283 
284 	return 0;
285 }
286 
287 static slap_overinst lastbind;
288 
lastbind_initialize()289 int lastbind_initialize()
290 {
291 	int i, code;
292 
293 	/* register operational schema for this overlay (authTimestamp attribute) */
294 	for (i=0; lastBind_OpSchema[i].def; i++) {
295 		code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
296 		if ( code ) {
297 			Debug( LDAP_DEBUG_ANY,
298 				"lastbind_initialize: register_at failed\n" );
299 			return code;
300 		}
301 	}
302 
303 	ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
304 
305 	lastbind.on_bi.bi_type = "lastbind";
306 	lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
307 	lastbind.on_bi.bi_db_init = lastbind_db_init;
308 	lastbind.on_bi.bi_db_close = lastbind_db_close;
309 	lastbind.on_bi.bi_op_bind = lastbind_bind;
310 
311 	/* register configuration directives */
312 	lastbind.on_bi.bi_cf_ocs = lastbindocs;
313 	code = config_register_schema( lastbindcfg, lastbindocs );
314 	if ( code ) return code;
315 
316 	return overlay_register( &lastbind );
317 }
318 
319 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
init_module(int argc,char * argv[])320 int init_module(int argc, char *argv[]) {
321 	return lastbind_initialize();
322 }
323 #endif
324 
325 #endif	/* defined(SLAPD_OVER_LASTBIND) */
326