1 /* $NetBSD: lastbind.c,v 1.1.1.3 2018/02/06 01:53:06 christos Exp $ */ 2 3 /* lastbind.c - Record timestamp of the last successful bind to entries */ 4 /* $OpenLDAP$ */ 5 /* 6 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted only as authorized by the OpenLDAP 11 * Public License. 12 * 13 * A copy of this license is available in the file LICENSE in the 14 * top-level directory of the distribution or, alternatively, at 15 * <http://www.OpenLDAP.org/license.html>. 16 */ 17 /* ACKNOWLEDGEMENTS: 18 * This work is loosely derived from the ppolicy overlay. 19 */ 20 21 #include <sys/cdefs.h> 22 __RCSID("$NetBSD: lastbind.c,v 1.1.1.3 2018/02/06 01:53:06 christos Exp $"); 23 24 #include "portable.h" 25 26 /* 27 * This file implements an overlay that stores the timestamp of the 28 * last successful bind operation in a directory entry. 29 * 30 * Optimization: to avoid performing a write on each bind, 31 * a precision for this timestamp may be configured, causing it to 32 * only be updated if it is older than a given number of seconds. 33 */ 34 35 #ifdef SLAPD_OVER_LASTBIND 36 37 #include <ldap.h> 38 #include "lutil.h" 39 #include "slap.h" 40 #include <ac/errno.h> 41 #include <ac/time.h> 42 #include <ac/string.h> 43 #include <ac/ctype.h> 44 #include "config.h" 45 46 /* Per-instance configuration information */ 47 typedef struct lastbind_info { 48 /* precision to update timestamp in authTimestamp attribute */ 49 int timestamp_precision; 50 } lastbind_info; 51 52 /* Operational attributes */ 53 static AttributeDescription *ad_authTimestamp; 54 55 /* This is the definition used by ISODE, as supplied to us in 56 * ITS#6238 Followup #9 57 */ 58 static struct schema_info { 59 char *def; 60 AttributeDescription **ad; 61 } lastBind_OpSchema[] = { 62 { "( 1.3.6.1.4.1.453.16.2.188 " 63 "NAME 'authTimestamp' " 64 "DESC 'last successful authentication using any method/mech' " 65 "EQUALITY generalizedTimeMatch " 66 "ORDERING generalizedTimeOrderingMatch " 67 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " 68 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )", 69 &ad_authTimestamp}, 70 { NULL, NULL } 71 }; 72 73 /* configuration attribute and objectclass */ 74 static ConfigTable lastbindcfg[] = { 75 { "lastbind-precision", "seconds", 2, 2, 0, 76 ARG_INT|ARG_OFFSET, 77 (void *)offsetof(lastbind_info, timestamp_precision), 78 "( OLcfgCtAt:5.1 " 79 "NAME 'olcLastBindPrecision' " 80 "DESC 'Precision of authTimestamp attribute' " 81 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, 82 { NULL, NULL, 0, 0, 0, ARG_IGNORED } 83 }; 84 85 static ConfigOCs lastbindocs[] = { 86 { "( OLcfgCtOc:5.1 " 87 "NAME 'olcLastBindConfig' " 88 "DESC 'Last Bind configuration' " 89 "SUP olcOverlayConfig " 90 "MAY ( olcLastBindPrecision ) )", 91 Cft_Overlay, lastbindcfg, NULL, NULL }, 92 { NULL, 0, NULL } 93 }; 94 95 static time_t 96 parse_time( char *atm ) 97 { 98 struct lutil_tm tm; 99 struct lutil_timet tt; 100 time_t ret = (time_t)-1; 101 102 if ( lutil_parsetime( atm, &tm ) == 0) { 103 lutil_tm2time( &tm, &tt ); 104 ret = tt.tt_sec; 105 } 106 return ret; 107 } 108 109 static int 110 lastbind_bind_response( Operation *op, SlapReply *rs ) 111 { 112 Modifications *mod = NULL; 113 BackendInfo *bi = op->o_bd->bd_info; 114 Entry *e; 115 int rc; 116 117 /* we're only interested if the bind was successful */ 118 if ( rs->sr_err != LDAP_SUCCESS ) 119 return SLAP_CB_CONTINUE; 120 121 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); 122 op->o_bd->bd_info = bi; 123 124 if ( rc != LDAP_SUCCESS ) { 125 return SLAP_CB_CONTINUE; 126 } 127 128 { 129 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; 130 131 time_t now, bindtime = (time_t)-1; 132 Attribute *a; 133 Modifications *m; 134 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ]; 135 struct berval timestamp; 136 137 /* get the current time */ 138 now = slap_get_time(); 139 140 /* get authTimestamp attribute, if it exists */ 141 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) { 142 bindtime = parse_time( a->a_nvals[0].bv_val ); 143 144 if (bindtime != (time_t)-1) { 145 /* if the recorded bind time is within our precision, we're done 146 * it doesn't need to be updated (save a write for nothing) */ 147 if ((now - bindtime) < lbi->timestamp_precision) { 148 goto done; 149 } 150 } 151 } 152 153 /* update the authTimestamp in the user's entry with the current time */ 154 timestamp.bv_val = nowstr; 155 timestamp.bv_len = sizeof(nowstr); 156 slap_timestamp( &now, ×tamp ); 157 158 m = ch_calloc( sizeof(Modifications), 1 ); 159 m->sml_op = LDAP_MOD_REPLACE; 160 m->sml_flags = 0; 161 m->sml_type = ad_authTimestamp->ad_cname; 162 m->sml_desc = ad_authTimestamp; 163 m->sml_numvals = 1; 164 m->sml_values = ch_calloc( sizeof(struct berval), 2 ); 165 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 ); 166 167 ber_dupbv( &m->sml_values[0], ×tamp ); 168 ber_dupbv( &m->sml_nvalues[0], ×tamp ); 169 m->sml_next = mod; 170 mod = m; 171 } 172 173 done: 174 be_entry_release_r( op, e ); 175 176 /* perform the update, if necessary */ 177 if ( mod ) { 178 Operation op2 = *op; 179 SlapReply r2 = { REP_RESULT }; 180 slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; 181 182 /* This is a DSA-specific opattr, it never gets replicated. */ 183 op2.o_tag = LDAP_REQ_MODIFY; 184 op2.o_callback = &cb; 185 op2.orm_modlist = mod; 186 op2.o_dn = op->o_bd->be_rootdn; 187 op2.o_ndn = op->o_bd->be_rootndn; 188 op2.o_dont_replicate = 1; 189 rc = op->o_bd->be_modify( &op2, &r2 ); 190 slap_mods_free( mod, 1 ); 191 } 192 193 op->o_bd->bd_info = bi; 194 return SLAP_CB_CONTINUE; 195 } 196 197 static int 198 lastbind_bind( Operation *op, SlapReply *rs ) 199 { 200 slap_callback *cb; 201 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; 202 203 /* setup a callback to intercept result of this bind operation 204 * and pass along the lastbind_info struct */ 205 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx ); 206 cb->sc_response = lastbind_bind_response; 207 cb->sc_next = op->o_callback->sc_next; 208 cb->sc_private = on->on_bi.bi_private; 209 op->o_callback->sc_next = cb; 210 211 return SLAP_CB_CONTINUE; 212 } 213 214 static int 215 lastbind_db_init( 216 BackendDB *be, 217 ConfigReply *cr 218 ) 219 { 220 slap_overinst *on = (slap_overinst *) be->bd_info; 221 222 /* initialize private structure to store configuration */ 223 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) ); 224 225 return 0; 226 } 227 228 static int 229 lastbind_db_close( 230 BackendDB *be, 231 ConfigReply *cr 232 ) 233 { 234 slap_overinst *on = (slap_overinst *) be->bd_info; 235 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private; 236 237 /* free private structure to store configuration */ 238 free( lbi ); 239 240 return 0; 241 } 242 243 static slap_overinst lastbind; 244 245 int lastbind_initialize() 246 { 247 int i, code; 248 249 /* register operational schema for this overlay (authTimestamp attribute) */ 250 for (i=0; lastBind_OpSchema[i].def; i++) { 251 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 ); 252 if ( code ) { 253 Debug( LDAP_DEBUG_ANY, 254 "lastbind_initialize: register_at failed\n", 0, 0, 0 ); 255 return code; 256 } 257 } 258 259 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE; 260 261 lastbind.on_bi.bi_type = "lastbind"; 262 lastbind.on_bi.bi_db_init = lastbind_db_init; 263 lastbind.on_bi.bi_db_close = lastbind_db_close; 264 lastbind.on_bi.bi_op_bind = lastbind_bind; 265 266 /* register configuration directives */ 267 lastbind.on_bi.bi_cf_ocs = lastbindocs; 268 code = config_register_schema( lastbindcfg, lastbindocs ); 269 if ( code ) return code; 270 271 return overlay_register( &lastbind ); 272 } 273 274 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC 275 int init_module(int argc, char *argv[]) { 276 return lastbind_initialize(); 277 } 278 #endif 279 280 #endif /* defined(SLAPD_OVER_LASTBIND) */ 281