1 /* $NetBSD: lastbind.c,v 1.1.1.4 2019/08/08 13:31:04 christos Exp $ */ 2 3 /* lastbind.c - Record timestamp of the last successful bind to entries */ 4 /* $OpenLDAP$ */ 5 /* 6 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted only as authorized by the OpenLDAP 11 * Public License. 12 * 13 * A copy of this license is available in the file LICENSE in the 14 * top-level directory of the distribution or, alternatively, at 15 * <http://www.OpenLDAP.org/license.html>. 16 */ 17 /* ACKNOWLEDGEMENTS: 18 * This work is loosely derived from the ppolicy overlay. 19 */ 20 21 #include <sys/cdefs.h> 22 __RCSID("$NetBSD: lastbind.c,v 1.1.1.4 2019/08/08 13:31:04 christos Exp $"); 23 24 #include "portable.h" 25 26 /* 27 * This file implements an overlay that stores the timestamp of the 28 * last successful bind operation in a directory entry. 29 * 30 * Optimization: to avoid performing a write on each bind, 31 * a precision for this timestamp may be configured, causing it to 32 * only be updated if it is older than a given number of seconds. 33 */ 34 35 #ifdef SLAPD_OVER_LASTBIND 36 37 #include <ldap.h> 38 #include "lutil.h" 39 #include "slap.h" 40 #include <ac/errno.h> 41 #include <ac/time.h> 42 #include <ac/string.h> 43 #include <ac/ctype.h> 44 #include "config.h" 45 46 /* Per-instance configuration information */ 47 typedef struct lastbind_info { 48 /* precision to update timestamp in authTimestamp attribute */ 49 int timestamp_precision; 50 int forward_updates; /* use frontend for authTimestamp updates */ 51 } lastbind_info; 52 53 /* Operational attributes */ 54 static AttributeDescription *ad_authTimestamp; 55 56 /* This is the definition used by ISODE, as supplied to us in 57 * ITS#6238 Followup #9 58 */ 59 static struct schema_info { 60 char *def; 61 AttributeDescription **ad; 62 } lastBind_OpSchema[] = { 63 { "( 1.3.6.1.4.1.453.16.2.188 " 64 "NAME 'authTimestamp' " 65 "DESC 'last successful authentication using any method/mech' " 66 "EQUALITY generalizedTimeMatch " 67 "ORDERING generalizedTimeOrderingMatch " 68 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " 69 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )", 70 &ad_authTimestamp}, 71 { NULL, NULL } 72 }; 73 74 /* configuration attribute and objectclass */ 75 static ConfigTable lastbindcfg[] = { 76 { "lastbind-precision", "seconds", 2, 2, 0, 77 ARG_INT|ARG_OFFSET, 78 (void *)offsetof(lastbind_info, timestamp_precision), 79 "( OLcfgCtAt:5.1 " 80 "NAME 'olcLastBindPrecision' " 81 "DESC 'Precision of authTimestamp attribute' " 82 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, 83 { "lastbind_forward_updates", "on|off", 1, 2, 0, 84 ARG_ON_OFF|ARG_OFFSET, 85 (void *)offsetof(lastbind_info,forward_updates), 86 "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' " 87 "DESC 'Allow authTimestamp updates to be forwarded via updateref' " 88 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, 89 { NULL, NULL, 0, 0, 0, ARG_IGNORED } 90 }; 91 92 static ConfigOCs lastbindocs[] = { 93 { "( OLcfgCtOc:5.1 " 94 "NAME 'olcLastBindConfig' " 95 "DESC 'Last Bind configuration' " 96 "SUP olcOverlayConfig " 97 "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )", 98 Cft_Overlay, lastbindcfg, NULL, NULL }, 99 { NULL, 0, NULL } 100 }; 101 102 static time_t 103 parse_time( char *atm ) 104 { 105 struct lutil_tm tm; 106 struct lutil_timet tt; 107 time_t ret = (time_t)-1; 108 109 if ( lutil_parsetime( atm, &tm ) == 0) { 110 lutil_tm2time( &tm, &tt ); 111 ret = tt.tt_sec; 112 } 113 return ret; 114 } 115 116 static int 117 lastbind_bind_response( Operation *op, SlapReply *rs ) 118 { 119 Modifications *mod = NULL; 120 BackendInfo *bi = op->o_bd->bd_info; 121 Entry *e; 122 int rc; 123 124 /* we're only interested if the bind was successful */ 125 if ( rs->sr_err != LDAP_SUCCESS ) 126 return SLAP_CB_CONTINUE; 127 128 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); 129 op->o_bd->bd_info = bi; 130 131 if ( rc != LDAP_SUCCESS ) { 132 return SLAP_CB_CONTINUE; 133 } 134 135 { 136 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; 137 138 time_t now, bindtime = (time_t)-1; 139 Attribute *a; 140 Modifications *m; 141 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ]; 142 struct berval timestamp; 143 144 /* get the current time */ 145 now = slap_get_time(); 146 147 /* get authTimestamp attribute, if it exists */ 148 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) { 149 bindtime = parse_time( a->a_nvals[0].bv_val ); 150 151 if (bindtime != (time_t)-1) { 152 /* if the recorded bind time is within our precision, we're done 153 * it doesn't need to be updated (save a write for nothing) */ 154 if ((now - bindtime) < lbi->timestamp_precision) { 155 goto done; 156 } 157 } 158 } 159 160 /* update the authTimestamp in the user's entry with the current time */ 161 timestamp.bv_val = nowstr; 162 timestamp.bv_len = sizeof(nowstr); 163 slap_timestamp( &now, ×tamp ); 164 165 m = ch_calloc( sizeof(Modifications), 1 ); 166 m->sml_op = LDAP_MOD_REPLACE; 167 m->sml_flags = 0; 168 m->sml_type = ad_authTimestamp->ad_cname; 169 m->sml_desc = ad_authTimestamp; 170 m->sml_numvals = 1; 171 m->sml_values = ch_calloc( sizeof(struct berval), 2 ); 172 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 ); 173 174 ber_dupbv( &m->sml_values[0], ×tamp ); 175 ber_dupbv( &m->sml_nvalues[0], ×tamp ); 176 m->sml_next = mod; 177 mod = m; 178 } 179 180 done: 181 be_entry_release_r( op, e ); 182 183 /* perform the update, if necessary */ 184 if ( mod ) { 185 Operation op2 = *op; 186 SlapReply r2 = { REP_RESULT }; 187 slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; 188 LDAPControl c, *ca[2]; 189 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; 190 191 /* This is a DSA-specific opattr, it never gets replicated. */ 192 op2.o_tag = LDAP_REQ_MODIFY; 193 op2.o_callback = &cb; 194 op2.orm_modlist = mod; 195 op2.orm_no_opattrs = 0; 196 op2.o_dn = op->o_bd->be_rootdn; 197 op2.o_ndn = op->o_bd->be_rootndn; 198 199 /* 200 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy 201 * 202 * If this server is a shadow and forward_updates is true, 203 * use the frontend to perform this modify. That will trigger 204 * the update referral, which can then be forwarded by the 205 * chain overlay. Obviously the updateref and chain overlay 206 * must be configured appropriately for this to be useful. 207 */ 208 if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) { 209 op2.o_bd = frontendDB; 210 211 /* Must use Relax control since these are no-user-mod */ 212 op2.o_relax = SLAP_CONTROL_CRITICAL; 213 op2.o_ctrls = ca; 214 ca[0] = &c; 215 ca[1] = NULL; 216 BER_BVZERO( &c.ldctl_value ); 217 c.ldctl_iscritical = 1; 218 c.ldctl_oid = LDAP_CONTROL_RELAX; 219 } else { 220 /* If not forwarding, don't update opattrs and don't replicate */ 221 if ( SLAP_SINGLE_SHADOW( op->o_bd )) { 222 op2.orm_no_opattrs = 1; 223 op2.o_dont_replicate = 1; 224 } 225 /* TODO: not sure what this does in slapo-ppolicy */ 226 /* 227 op2.o_bd->bd_info = (BackendInfo *)on->on_info; 228 */ 229 } 230 231 rc = op->o_bd->be_modify( &op2, &r2 ); 232 slap_mods_free( mod, 1 ); 233 } 234 235 op->o_bd->bd_info = bi; 236 return SLAP_CB_CONTINUE; 237 } 238 239 static int 240 lastbind_bind( Operation *op, SlapReply *rs ) 241 { 242 slap_callback *cb; 243 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; 244 245 /* setup a callback to intercept result of this bind operation 246 * and pass along the lastbind_info struct */ 247 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx ); 248 cb->sc_response = lastbind_bind_response; 249 cb->sc_next = op->o_callback->sc_next; 250 cb->sc_private = on->on_bi.bi_private; 251 op->o_callback->sc_next = cb; 252 253 return SLAP_CB_CONTINUE; 254 } 255 256 static int 257 lastbind_db_init( 258 BackendDB *be, 259 ConfigReply *cr 260 ) 261 { 262 slap_overinst *on = (slap_overinst *) be->bd_info; 263 264 /* initialize private structure to store configuration */ 265 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) ); 266 267 return 0; 268 } 269 270 static int 271 lastbind_db_close( 272 BackendDB *be, 273 ConfigReply *cr 274 ) 275 { 276 slap_overinst *on = (slap_overinst *) be->bd_info; 277 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private; 278 279 /* free private structure to store configuration */ 280 free( lbi ); 281 282 return 0; 283 } 284 285 static slap_overinst lastbind; 286 287 int lastbind_initialize() 288 { 289 int i, code; 290 291 /* register operational schema for this overlay (authTimestamp attribute) */ 292 for (i=0; lastBind_OpSchema[i].def; i++) { 293 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 ); 294 if ( code ) { 295 Debug( LDAP_DEBUG_ANY, 296 "lastbind_initialize: register_at failed\n", 0, 0, 0 ); 297 return code; 298 } 299 } 300 301 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE; 302 303 lastbind.on_bi.bi_type = "lastbind"; 304 lastbind.on_bi.bi_db_init = lastbind_db_init; 305 lastbind.on_bi.bi_db_close = lastbind_db_close; 306 lastbind.on_bi.bi_op_bind = lastbind_bind; 307 308 /* register configuration directives */ 309 lastbind.on_bi.bi_cf_ocs = lastbindocs; 310 code = config_register_schema( lastbindcfg, lastbindocs ); 311 if ( code ) return code; 312 313 return overlay_register( &lastbind ); 314 } 315 316 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC 317 int init_module(int argc, char *argv[]) { 318 return lastbind_initialize(); 319 } 320 #endif 321 322 #endif /* defined(SLAPD_OVER_LASTBIND) */ 323