1 /* $NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $ */
2
3 /* lastbind.c - Record timestamp of the last successful bind to entries */
4 /* $OpenLDAP$ */
5 /*
6 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
11 * Public License.
12 *
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
16 */
17 /* ACKNOWLEDGEMENTS:
18 * This work is loosely derived from the ppolicy overlay.
19 */
20
21 #include <sys/cdefs.h>
22 __RCSID("$NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $");
23
24 #include "portable.h"
25
26 /*
27 * This file implements an overlay that stores the timestamp of the
28 * last successful bind operation in a directory entry.
29 *
30 * Optimization: to avoid performing a write on each bind,
31 * a precision for this timestamp may be configured, causing it to
32 * only be updated if it is older than a given number of seconds.
33 */
34
35 #ifdef SLAPD_OVER_LASTBIND
36
37 #include <ldap.h>
38 #include "lutil.h"
39 #include "slap.h"
40 #include <ac/errno.h>
41 #include <ac/time.h>
42 #include <ac/string.h>
43 #include <ac/ctype.h>
44 #include "slap-config.h"
45
46 /* Per-instance configuration information */
47 typedef struct lastbind_info {
48 /* precision to update timestamp in authTimestamp attribute */
49 int timestamp_precision;
50 int forward_updates; /* use frontend for authTimestamp updates */
51 } lastbind_info;
52
53 /* Operational attributes */
54 static AttributeDescription *ad_authTimestamp;
55
56 /* This is the definition used by ISODE, as supplied to us in
57 * ITS#6238 Followup #9
58 */
59 static struct schema_info {
60 char *def;
61 AttributeDescription **ad;
62 } lastBind_OpSchema[] = {
63 { "( 1.3.6.1.4.1.453.16.2.188 "
64 "NAME 'authTimestamp' "
65 "DESC 'last successful authentication using any method/mech' "
66 "EQUALITY generalizedTimeMatch "
67 "ORDERING generalizedTimeOrderingMatch "
68 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
69 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
70 &ad_authTimestamp},
71 { NULL, NULL }
72 };
73
74 /* configuration attribute and objectclass */
75 static ConfigTable lastbindcfg[] = {
76 { "lastbind-precision", "seconds", 2, 2, 0,
77 ARG_INT|ARG_OFFSET,
78 (void *)offsetof(lastbind_info, timestamp_precision),
79 "( OLcfgCtAt:5.1 "
80 "NAME 'olcLastBindPrecision' "
81 "DESC 'Precision of authTimestamp attribute' "
82 "EQUALITY integerMatch "
83 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
84 { "lastbind_forward_updates", "on|off", 1, 2, 0,
85 ARG_ON_OFF|ARG_OFFSET,
86 (void *)offsetof(lastbind_info,forward_updates),
87 "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' "
88 "DESC 'Allow authTimestamp updates to be forwarded via updateref' "
89 "EQUALITY booleanMatch "
90 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
91 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
92 };
93
94 static ConfigOCs lastbindocs[] = {
95 { "( OLcfgCtOc:5.1 "
96 "NAME 'olcLastBindConfig' "
97 "DESC 'Last Bind configuration' "
98 "SUP olcOverlayConfig "
99 "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
100 Cft_Overlay, lastbindcfg, NULL, NULL },
101 { NULL, 0, NULL }
102 };
103
104 static time_t
parse_time(char * atm)105 parse_time( char *atm )
106 {
107 struct lutil_tm tm;
108 struct lutil_timet tt;
109 time_t ret = (time_t)-1;
110
111 if ( lutil_parsetime( atm, &tm ) == 0) {
112 lutil_tm2time( &tm, &tt );
113 ret = tt.tt_sec;
114 }
115 return ret;
116 }
117
118 static int
lastbind_bind_response(Operation * op,SlapReply * rs)119 lastbind_bind_response( Operation *op, SlapReply *rs )
120 {
121 Modifications *mod = NULL;
122 BackendInfo *bi = op->o_bd->bd_info;
123 Entry *e;
124 int rc;
125
126 /* we're only interested if the bind was successful */
127 if ( rs->sr_err != LDAP_SUCCESS )
128 return SLAP_CB_CONTINUE;
129
130 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
131 op->o_bd->bd_info = bi;
132
133 if ( rc != LDAP_SUCCESS ) {
134 return SLAP_CB_CONTINUE;
135 }
136
137 {
138 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
139
140 time_t now, bindtime = (time_t)-1;
141 Attribute *a;
142 Modifications *m;
143 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
144 struct berval timestamp;
145
146 /* get the current time */
147 now = slap_get_time();
148
149 /* get authTimestamp attribute, if it exists */
150 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
151 bindtime = parse_time( a->a_nvals[0].bv_val );
152
153 if (bindtime != (time_t)-1) {
154 /* if the recorded bind time is within our precision, we're done
155 * it doesn't need to be updated (save a write for nothing) */
156 if ((now - bindtime) < lbi->timestamp_precision) {
157 goto done;
158 }
159 }
160 }
161
162 /* update the authTimestamp in the user's entry with the current time */
163 timestamp.bv_val = nowstr;
164 timestamp.bv_len = sizeof(nowstr);
165 slap_timestamp( &now, ×tamp );
166
167 m = ch_calloc( sizeof(Modifications), 1 );
168 m->sml_op = LDAP_MOD_REPLACE;
169 m->sml_flags = 0;
170 m->sml_type = ad_authTimestamp->ad_cname;
171 m->sml_desc = ad_authTimestamp;
172 m->sml_numvals = 1;
173 m->sml_values = ch_calloc( sizeof(struct berval), 2 );
174 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
175
176 ber_dupbv( &m->sml_values[0], ×tamp );
177 ber_dupbv( &m->sml_nvalues[0], ×tamp );
178 m->sml_next = mod;
179 mod = m;
180 }
181
182 done:
183 be_entry_release_r( op, e );
184
185 /* perform the update, if necessary */
186 if ( mod ) {
187 Operation op2 = *op;
188 SlapReply r2 = { REP_RESULT };
189 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
190 LDAPControl c, *ca[2];
191 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
192
193 /* This is a DSA-specific opattr, it never gets replicated. */
194 op2.o_tag = LDAP_REQ_MODIFY;
195 op2.o_callback = &cb;
196 op2.orm_modlist = mod;
197 op2.orm_no_opattrs = 0;
198 op2.o_dn = op->o_bd->be_rootdn;
199 op2.o_ndn = op->o_bd->be_rootndn;
200
201 /*
202 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
203 *
204 * If this server is a shadow and forward_updates is true,
205 * use the frontend to perform this modify. That will trigger
206 * the update referral, which can then be forwarded by the
207 * chain overlay. Obviously the updateref and chain overlay
208 * must be configured appropriately for this to be useful.
209 */
210 if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) {
211 op2.o_bd = frontendDB;
212
213 /* Must use Relax control since these are no-user-mod */
214 op2.o_relax = SLAP_CONTROL_CRITICAL;
215 op2.o_ctrls = ca;
216 ca[0] = &c;
217 ca[1] = NULL;
218 BER_BVZERO( &c.ldctl_value );
219 c.ldctl_iscritical = 1;
220 c.ldctl_oid = LDAP_CONTROL_RELAX;
221 } else {
222 /* If not forwarding, don't update opattrs and don't replicate */
223 if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
224 op2.orm_no_opattrs = 1;
225 op2.o_dont_replicate = 1;
226 }
227 /* TODO: not sure what this does in slapo-ppolicy */
228 /*
229 op2.o_bd->bd_info = (BackendInfo *)on->on_info;
230 */
231 }
232
233 rc = op2.o_bd->be_modify( &op2, &r2 );
234 slap_mods_free( mod, 1 );
235 }
236
237 op->o_bd->bd_info = bi;
238 return SLAP_CB_CONTINUE;
239 }
240
241 static int
lastbind_bind(Operation * op,SlapReply * rs)242 lastbind_bind( Operation *op, SlapReply *rs )
243 {
244 slap_callback *cb;
245 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
246
247 /* setup a callback to intercept result of this bind operation
248 * and pass along the lastbind_info struct */
249 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
250 cb->sc_response = lastbind_bind_response;
251 cb->sc_next = op->o_callback->sc_next;
252 cb->sc_private = on->on_bi.bi_private;
253 op->o_callback->sc_next = cb;
254
255 return SLAP_CB_CONTINUE;
256 }
257
258 static int
lastbind_db_init(BackendDB * be,ConfigReply * cr)259 lastbind_db_init(
260 BackendDB *be,
261 ConfigReply *cr
262 )
263 {
264 slap_overinst *on = (slap_overinst *) be->bd_info;
265
266 /* initialize private structure to store configuration */
267 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
268
269 return 0;
270 }
271
272 static int
lastbind_db_close(BackendDB * be,ConfigReply * cr)273 lastbind_db_close(
274 BackendDB *be,
275 ConfigReply *cr
276 )
277 {
278 slap_overinst *on = (slap_overinst *) be->bd_info;
279 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
280
281 /* free private structure to store configuration */
282 free( lbi );
283
284 return 0;
285 }
286
287 static slap_overinst lastbind;
288
lastbind_initialize()289 int lastbind_initialize()
290 {
291 int i, code;
292
293 /* register operational schema for this overlay (authTimestamp attribute) */
294 for (i=0; lastBind_OpSchema[i].def; i++) {
295 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
296 if ( code ) {
297 Debug( LDAP_DEBUG_ANY,
298 "lastbind_initialize: register_at failed\n" );
299 return code;
300 }
301 }
302
303 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
304
305 lastbind.on_bi.bi_type = "lastbind";
306 lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
307 lastbind.on_bi.bi_db_init = lastbind_db_init;
308 lastbind.on_bi.bi_db_close = lastbind_db_close;
309 lastbind.on_bi.bi_op_bind = lastbind_bind;
310
311 /* register configuration directives */
312 lastbind.on_bi.bi_cf_ocs = lastbindocs;
313 code = config_register_schema( lastbindcfg, lastbindocs );
314 if ( code ) return code;
315
316 return overlay_register( &lastbind );
317 }
318
319 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
init_module(int argc,char * argv[])320 int init_module(int argc, char *argv[]) {
321 return lastbind_initialize();
322 }
323 #endif
324
325 #endif /* defined(SLAPD_OVER_LASTBIND) */
326