1 /* $OpenBSD: ldapd.h,v 1.32 2020/06/24 07:20:47 tb Exp $ */ 2 3 /* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef _LDAPD_H 20 #define _LDAPD_H 21 22 #include <sys/queue.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 #include <sys/types.h> 26 #include <sys/uio.h> 27 28 #include <event.h> 29 #include <imsg.h> 30 #include <limits.h> 31 #include <pwd.h> 32 #include <stdarg.h> 33 #include <tls.h> 34 35 #include "aldap.h" 36 #include "schema.h" 37 #include "btree.h" 38 #include "imsgev.h" 39 #include "evbuffer_tls.h" 40 41 #define CONFFILE "/etc/ldapd.conf" 42 #define LDAPD_USER "_ldapd" 43 #define LDAPD_SOCKET "/var/run/ldapd.sock" 44 #define DATADIR "/var/db/ldap" 45 #define LDAP_PORT 389 46 #define LDAPS_PORT 636 47 #define LDAPD_SESSION_TIMEOUT 30 48 #define MAX_LISTEN 64 49 #define FD_RESERVE 8 /* 5 overhead, 2 for db, 1 accept */ 50 51 #define F_STARTTLS 0x01 52 #define F_LDAPS 0x02 53 #define F_SSL (F_LDAPS|F_STARTTLS) 54 55 #define F_SECURE 0x04 56 #define F_LEGACY 0x08 57 58 #define F_SCERT 0x01 59 60 struct conn; 61 62 struct aci { 63 SIMPLEQ_ENTRY(aci) entry; 64 #define ACI_DENY 0 65 #define ACI_ALLOW 1 66 int type; 67 #define ACI_READ 0x01 68 #define ACI_WRITE 0x02 69 #define ACI_COMPARE 0x04 70 #define ACI_CREATE 0x08 71 #define ACI_BIND 0x10 72 #define ACI_ALL 0x1F 73 int rights; 74 enum scope scope; /* base, onelevel or subtree */ 75 char *attribute; 76 char *target; 77 char *subject; 78 char *filter; 79 }; 80 SIMPLEQ_HEAD(acl, aci); 81 82 /* An LDAP request. 83 */ 84 struct request { 85 TAILQ_ENTRY(request) next; 86 unsigned int type; 87 long long msgid; 88 struct ber_element *root; 89 struct ber_element *op; 90 struct conn *conn; 91 int replayed; /* true if replayed request */ 92 }; 93 TAILQ_HEAD(request_queue, request); 94 95 enum index_type { 96 INDEX_NONE, 97 INDEX_EQUAL = 1, 98 INDEX_APPROX = 1, 99 INDEX_PRESENCE = 1, 100 INDEX_SUBSTR 101 }; 102 103 struct attr_index { 104 TAILQ_ENTRY(attr_index) next; 105 char *attr; 106 enum index_type type; 107 }; 108 TAILQ_HEAD(attr_index_list, attr_index); 109 110 struct referral { 111 SLIST_ENTRY(referral) next; 112 char *url; 113 }; 114 SLIST_HEAD(referrals, referral); 115 116 struct namespace { 117 TAILQ_ENTRY(namespace) next; 118 char *suffix; 119 struct referrals referrals; 120 char *rootdn; 121 char *rootpw; 122 char *data_path; 123 char *indx_path; 124 struct btree *data_db; 125 struct btree *indx_db; 126 struct btree_txn *data_txn; 127 struct btree_txn *indx_txn; 128 int sync; /* 1 = fsync after commit */ 129 struct attr_index_list indices; 130 unsigned int cache_size; 131 unsigned int index_cache_size; 132 struct request_queue request_queue; 133 struct event ev_queue; 134 unsigned int queued_requests; 135 struct acl acl; 136 int relax; /* relax schema validation */ 137 int compression_level; /* 0-9, 0 = disabled */ 138 }; 139 140 TAILQ_HEAD(namespace_list, namespace); 141 142 struct index 143 { 144 TAILQ_ENTRY(index) next; 145 char *prefix; 146 }; 147 148 /* A query plan. 149 */ 150 struct plan 151 { 152 TAILQ_ENTRY(plan) next; 153 TAILQ_HEAD(, plan) args; 154 TAILQ_HEAD(, index) indices; 155 struct attr_type *at; 156 char *adesc; 157 union { 158 char *value; 159 struct ber_element *substring; 160 } assert; 161 int op; 162 int indexed; 163 int undefined; 164 }; 165 166 /* For OR filters using multiple indices, matches are not unique. Remember 167 * all DNs sent to the client to make them unique. 168 */ 169 struct uniqdn { 170 RB_ENTRY(uniqdn) link; 171 struct btval key; 172 }; 173 RB_HEAD(dn_tree, uniqdn); 174 RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 175 176 /* An LDAP search request. 177 */ 178 struct search { 179 TAILQ_ENTRY(search) next; 180 int init; /* 1 if cursor initiated */ 181 struct conn *conn; 182 struct request *req; 183 struct namespace *ns; 184 struct btree_txn *data_txn; 185 struct btree_txn *indx_txn; 186 struct cursor *cursor; 187 unsigned int nscanned, nmatched, ndups; 188 time_t started_at; 189 long long szlim, tmlim; /* size and time limits */ 190 int typesonly; /* not implemented */ 191 long long scope; 192 long long deref; /* not implemented */ 193 char *basedn; 194 struct ber_element *filter, *attrlist; 195 struct plan *plan; 196 struct index *cindx; /* current index */ 197 struct dn_tree uniqdns; 198 }; 199 200 struct listener { 201 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 202 struct sockaddr_storage ss; 203 int port; 204 int fd; 205 struct event ev; 206 struct event evt; 207 char ssl_cert_name[PATH_MAX]; 208 struct ssl *ssl; 209 struct tls *tls; 210 TAILQ_ENTRY(listener) entry; 211 }; 212 TAILQ_HEAD(listenerlist, listener); 213 214 /* An LDAP client connection. 215 */ 216 struct conn { 217 TAILQ_ENTRY(conn) next; 218 int fd; 219 struct bufferevent *bev; 220 struct ber ber; 221 int disconnect; 222 struct request *bind_req; /* ongoing bind request */ 223 char *binddn; 224 char *pending_binddn; 225 TAILQ_HEAD(, search) searches; 226 struct listener *listener; /* where it connected from */ 227 228 /* SSL support */ 229 struct tls *tls; 230 struct buffertls buftls; 231 unsigned int s_flags; 232 }; 233 TAILQ_HEAD(conn_list, conn) conn_list; 234 235 struct ssl { 236 SPLAY_ENTRY(ssl) ssl_nodes; 237 char ssl_name[PATH_MAX]; 238 uint8_t *ssl_cert; 239 size_t ssl_cert_len; 240 uint8_t *ssl_key; 241 size_t ssl_key_len; 242 uint8_t flags; 243 struct tls_config *config; 244 }; 245 246 struct ldapd_config 247 { 248 struct namespace_list namespaces; 249 struct listenerlist listeners; 250 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 251 struct referrals referrals; 252 struct acl acl; 253 struct schema *schema; 254 char *rootdn; 255 char *rootpw; 256 }; 257 258 struct ldapd_stats 259 { 260 time_t started_at; /* time of daemon startup */ 261 unsigned long long requests; /* total number of requests */ 262 unsigned long long req_search; /* search requests */ 263 unsigned long long req_bind; /* bind requests */ 264 unsigned long long req_mod; /* add/mod/del requests */ 265 unsigned long long timeouts; /* search timeouts */ 266 unsigned long long unindexed; /* unindexed searches */ 267 unsigned int conns; /* active connections */ 268 unsigned int searches; /* active searches */ 269 }; 270 271 struct auth_req 272 { 273 int fd; 274 long long msgid; 275 char name[128]; 276 char password[128]; 277 }; 278 279 struct auth_res 280 { 281 int ok; 282 int fd; 283 long long msgid; 284 }; 285 286 struct open_req { 287 char path[PATH_MAX+1]; 288 unsigned int rdonly; 289 }; 290 291 enum imsg_type { 292 IMSG_NONE, 293 IMSG_CTL_OK, 294 IMSG_CTL_FAIL, 295 IMSG_CTL_END, 296 IMSG_CTL_STATS, 297 IMSG_CTL_NSSTATS, 298 IMSG_CTL_LOG_VERBOSE, 299 300 IMSG_LDAPD_AUTH, 301 IMSG_LDAPD_AUTH_RESULT, 302 IMSG_LDAPD_OPEN, 303 IMSG_LDAPD_OPEN_RESULT, 304 }; 305 306 struct ns_stat { 307 char suffix[256]; 308 struct btree_stat data_stat; 309 struct btree_stat indx_stat; 310 }; 311 312 struct ctl_conn { 313 TAILQ_ENTRY(ctl_conn) entry; 314 u_int8_t flags; 315 #define CTL_CONN_NOTIFY 0x01 316 #define CTL_CONN_LOCKED 0x02 /* restricted mode */ 317 struct imsgev iev; 318 }; 319 TAILQ_HEAD(ctl_connlist, ctl_conn); 320 extern struct ctl_connlist ctl_conns; 321 322 323 struct control_sock { 324 const char *cs_name; 325 struct event cs_ev; 326 struct event cs_evt; 327 int cs_fd; 328 int cs_restricted; 329 }; 330 331 enum ldapd_process { 332 PROC_MAIN_AUTH, 333 PROC_LDAP_SERVER 334 }; 335 336 #define PROC_PARENT_SOCK_FILENO 3 337 338 /* ldapd.c */ 339 extern struct ldapd_stats stats; 340 extern struct ldapd_config *conf; 341 342 void imsg_event_add(struct imsgev *iev); 343 int imsg_compose_event(struct imsgev *iev, u_int16_t type, 344 u_int32_t peerid, pid_t pid, int fd, void *data, 345 u_int16_t datalen); 346 int imsg_event_handle(struct imsgev *iev, short event); 347 348 /* conn.c */ 349 extern struct conn_list conn_list; 350 struct conn *conn_by_fd(int fd); 351 void conn_read(struct bufferevent *bev, void *data); 352 void conn_write(struct bufferevent *bev, void *data); 353 void conn_err(struct bufferevent *bev, short w, void *data); 354 void conn_accept(int fd, short why, void *data); 355 void conn_close(struct conn *conn); 356 int conn_close_any(void); 357 void conn_disconnect(struct conn *conn); 358 void request_dispatch(struct request *req); 359 void request_free(struct request *req); 360 361 /* ldape.c */ 362 void ldape(int, int, char *); 363 int ldap_abandon(struct request *req); 364 int ldap_unbind(struct request *req); 365 int ldap_compare(struct request *req); 366 int ldap_extended(struct request *req); 367 368 void send_ldap_result(struct conn *conn, int msgid, 369 unsigned int type, long long result_code); 370 int ldap_respond(struct request *req, int code); 371 int ldap_refer(struct request *req, const char *basedn, 372 struct search *search, struct referrals *refs); 373 374 /* namespace.c 375 */ 376 struct namespace *namespace_new(const char *suffix); 377 int namespace_open(struct namespace *ns); 378 int namespace_reopen_data(struct namespace *ns); 379 int namespace_reopen_indx(struct namespace *ns); 380 int namespace_set_data_fd(struct namespace *ns, int fd); 381 int namespace_set_indx_fd(struct namespace *ns, int fd); 382 struct namespace *namespace_init(const char *suffix, const char *dir); 383 void namespace_close(struct namespace *ns); 384 void namespace_remove(struct namespace *ns); 385 struct ber_element *namespace_get(struct namespace *ns, char *dn); 386 int namespace_exists(struct namespace *ns, char *dn); 387 int namespace_add(struct namespace *ns, char *dn, 388 struct ber_element *root); 389 int namespace_update(struct namespace *ns, char *dn, 390 struct ber_element *root); 391 int namespace_del(struct namespace *ns, char *dn); 392 struct namespace *namespace_lookup_base(const char *basedn, 393 int include_referrals); 394 struct namespace *namespace_for_base(const char *basedn); 395 int namespace_has_referrals(struct namespace *ns); 396 struct referrals *namespace_referrals(const char *basedn); 397 int namespace_has_index(struct namespace *ns, 398 const char *attr, enum index_type type); 399 int namespace_begin_txn(struct namespace *ns, 400 struct btree_txn **data_txn, 401 struct btree_txn **indx_txn, int rdonly); 402 int namespace_begin(struct namespace *ns); 403 int namespace_commit(struct namespace *ns); 404 void namespace_abort(struct namespace *ns); 405 int namespace_queue_request(struct namespace *ns, 406 struct request *req); 407 void namespace_queue_schedule(struct namespace *ns, 408 unsigned int usec); 409 void namespace_cancel_conn(struct conn *conn); 410 int namespace_conn_queue_count(struct conn *conn); 411 412 int namespace_ber2db(struct namespace *ns, 413 struct ber_element *root, struct btval *val); 414 struct ber_element *namespace_db2ber(struct namespace *ns, 415 struct btval *val); 416 417 /* attributes.c */ 418 struct ber_element *ldap_get_attribute(struct ber_element *root, 419 const char *attr); 420 struct ber_element *ldap_find_attribute(struct ber_element *entry, 421 struct attr_type *at); 422 struct ber_element *ldap_find_value(struct ber_element *elm, 423 const char *value); 424 struct ber_element *ldap_add_attribute(struct ber_element *root, 425 const char *attr, struct ber_element *vals); 426 int ldap_set_values(struct ber_element *elm, 427 struct ber_element *vals); 428 int ldap_merge_values(struct ber_element *elm, 429 struct ber_element *vals); 430 int ldap_del_attribute(struct ber_element *entry, 431 const char *attrdesc); 432 int ldap_del_values(struct ber_element *elm, 433 struct ber_element *vals); 434 char *ldap_strftime(time_t tm); 435 char *ldap_now(void); 436 437 /* control.c */ 438 void control_init(struct control_sock *); 439 void control_listen(struct control_sock *); 440 void control_accept(int, short, void *); 441 void control_dispatch_imsg(int, short, void *); 442 void control_cleanup(struct control_sock *); 443 int control_close_any(struct control_sock *); 444 445 /* filter.c */ 446 int ldap_matches_filter(struct ber_element *root, 447 struct plan *plan); 448 449 /* search.c */ 450 int ldap_search(struct request *req); 451 void conn_search(struct search *search); 452 void search_close(struct search *search); 453 int is_child_of(struct btval *key, const char *base); 454 455 /* modify.c */ 456 int ldap_add(struct request *req); 457 int ldap_delete(struct request *req); 458 int ldap_modify(struct request *req); 459 460 /* auth.c */ 461 extern struct imsgev *iev_ldapd; 462 int ldap_bind(struct request *req); 463 void ldap_bind_continue(struct conn *conn, int ok); 464 int authorized(struct conn *conn, struct namespace *ns, 465 int rights, char *dn, char *attr, int scope); 466 467 /* parse.y */ 468 int parse_config(char *filename); 469 int cmdline_symset(char *s); 470 int ssl_cmp(struct ssl *, struct ssl *); 471 SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 472 473 474 /* logmsg.c */ 475 void ldap_loginit(const char *, int, int); 476 const char *print_host(struct sockaddr_storage *ss, char *buf, 477 size_t len); 478 void hexdump(void *data, size_t len, const char *fmt, ...); 479 void ldap_debug_elements(struct ber_element *root, 480 int context, const char *fmt, ...); 481 /* util.c */ 482 int bsnprintf(char *str, size_t size, 483 const char *format, ...); 484 int has_suffix(struct btval *key, const char *suffix); 485 int has_prefix(struct btval *key, const char *prefix); 486 void normalize_dn(char *dn); 487 int ber2db(struct ber_element *root, struct btval *val, 488 int compression_level); 489 struct ber_element *db2ber(struct btval *val, int compression_level); 490 int accept_reserve(int sockfd, struct sockaddr *addr, 491 socklen_t *addrlen, int reserve); 492 493 /* index.c */ 494 int index_entry(struct namespace *ns, struct btval *dn, 495 struct ber_element *elm); 496 int unindex_entry(struct namespace *ns, struct btval *dn, 497 struct ber_element *elm); 498 int index_to_dn(struct namespace *ns, struct btval *indx, 499 struct btval *dn); 500 501 /* validate.c */ 502 int validate_entry(const char *dn, struct ber_element *entry, int relax); 503 504 #endif /* _LDAPD_H */ 505 506