1 /* $OpenBSD: ldapd.h,v 1.23 2012/06/16 00:08:32 jmatthew Exp $ */ 2 3 /* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef _LDAPD_H 20 #define _LDAPD_H 21 22 #include <sys/queue.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 #include <sys/types.h> 26 #include <sys/uio.h> 27 #include <sys/param.h> 28 29 #include <event.h> 30 #include <imsg.h> 31 #include <limits.h> 32 #include <pwd.h> 33 #include <stdarg.h> 34 35 #include "aldap.h" 36 #include "schema.h" 37 #include "btree.h" 38 #include "imsgev.h" 39 40 #define CONFFILE "/etc/ldapd.conf" 41 #define LDAPD_USER "_ldapd" 42 #define LDAPD_SOCKET "/var/run/ldapd.sock" 43 #define DATADIR "/var/db/ldap" 44 #define LDAP_PORT 389 45 #define LDAPS_PORT 636 46 #define LDAPD_SESSION_TIMEOUT 30 47 #define MAX_LISTEN 64 48 #define FD_RESERVE 8 /* 5 overhead, 2 for db, 1 accept */ 49 50 #define F_STARTTLS 0x01 51 #define F_LDAPS 0x02 52 #define F_SSL (F_LDAPS|F_STARTTLS) 53 54 #define F_SECURE 0x04 55 56 #define F_SCERT 0x01 57 58 struct conn; 59 60 struct aci { 61 SIMPLEQ_ENTRY(aci) entry; 62 #define ACI_DENY 0 63 #define ACI_ALLOW 1 64 int type; 65 #define ACI_READ 0x01 66 #define ACI_WRITE 0x02 67 #define ACI_COMPARE 0x04 68 #define ACI_CREATE 0x08 69 #define ACI_BIND 0x10 70 #define ACI_ALL 0x1F 71 int rights; 72 enum scope scope; /* base, onelevel or subtree */ 73 char *attribute; 74 char *target; 75 char *subject; 76 char *filter; 77 }; 78 SIMPLEQ_HEAD(acl, aci); 79 80 /* An LDAP request. 81 */ 82 struct request { 83 TAILQ_ENTRY(request) next; 84 unsigned long type; 85 long long msgid; 86 struct ber_element *root; 87 struct ber_element *op; 88 struct conn *conn; 89 int replayed; /* true if replayed request */ 90 }; 91 TAILQ_HEAD(request_queue, request); 92 93 enum index_type { 94 INDEX_NONE, 95 INDEX_EQUAL = 1, 96 INDEX_APPROX = 1, 97 INDEX_PRESENCE = 1, 98 INDEX_SUBSTR 99 }; 100 101 struct attr_index { 102 TAILQ_ENTRY(attr_index) next; 103 char *attr; 104 enum index_type type; 105 }; 106 TAILQ_HEAD(attr_index_list, attr_index); 107 108 struct referral { 109 SLIST_ENTRY(referral) next; 110 char *url; 111 }; 112 SLIST_HEAD(referrals, referral); 113 114 struct namespace { 115 TAILQ_ENTRY(namespace) next; 116 char *suffix; 117 struct referrals referrals; 118 char *rootdn; 119 char *rootpw; 120 char *data_path; 121 char *indx_path; 122 struct btree *data_db; 123 struct btree *indx_db; 124 struct btree_txn *data_txn; 125 struct btree_txn *indx_txn; 126 int sync; /* 1 = fsync after commit */ 127 struct attr_index_list indices; 128 unsigned int cache_size; 129 unsigned int index_cache_size; 130 struct request_queue request_queue; 131 struct event ev_queue; 132 unsigned int queued_requests; 133 struct acl acl; 134 int relax; /* relax schema validation */ 135 int compression_level; /* 0-9, 0 = disabled */ 136 }; 137 138 TAILQ_HEAD(namespace_list, namespace); 139 140 struct index 141 { 142 TAILQ_ENTRY(index) next; 143 char *prefix; 144 }; 145 146 /* A query plan. 147 */ 148 struct plan 149 { 150 TAILQ_ENTRY(plan) next; 151 TAILQ_HEAD(, plan) args; 152 TAILQ_HEAD(, index) indices; 153 struct attr_type *at; 154 char *adesc; 155 union { 156 char *value; 157 struct ber_element *substring; 158 } assert; 159 int op; 160 int indexed; 161 int undefined; 162 }; 163 164 /* For OR filters using multiple indices, matches are not unique. Remember 165 * all DNs sent to the client to make them unique. 166 */ 167 struct uniqdn { 168 RB_ENTRY(uniqdn) link; 169 struct btval key; 170 }; 171 RB_HEAD(dn_tree, uniqdn); 172 RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 173 174 /* An LDAP search request. 175 */ 176 struct search { 177 TAILQ_ENTRY(search) next; 178 int init; /* 1 if cursor initiated */ 179 struct conn *conn; 180 struct request *req; 181 struct namespace *ns; 182 struct btree_txn *data_txn; 183 struct btree_txn *indx_txn; 184 struct cursor *cursor; 185 unsigned int nscanned, nmatched, ndups; 186 time_t started_at; 187 long long szlim, tmlim; /* size and time limits */ 188 int typesonly; /* not implemented */ 189 long long scope; 190 long long deref; /* not implemented */ 191 char *basedn; 192 struct ber_element *filter, *attrlist; 193 struct plan *plan; 194 struct index *cindx; /* current index */ 195 struct dn_tree uniqdns; 196 }; 197 198 struct listener { 199 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 200 struct sockaddr_storage ss; 201 int port; 202 int fd; 203 struct event ev; 204 struct event evt; 205 char ssl_cert_name[PATH_MAX]; 206 struct ssl *ssl; 207 void *ssl_ctx; 208 TAILQ_ENTRY(listener) entry; 209 }; 210 TAILQ_HEAD(listenerlist, listener); 211 212 /* An LDAP client connection. 213 */ 214 struct conn { 215 TAILQ_ENTRY(conn) next; 216 int fd; 217 struct bufferevent *bev; 218 struct ber ber; 219 int disconnect; 220 struct request *bind_req; /* ongoing bind request */ 221 char *binddn; 222 char *pending_binddn; 223 TAILQ_HEAD(, search) searches; 224 struct listener *listener; /* where it connected from */ 225 226 /* SSL support */ 227 struct event s_ev; 228 struct timeval s_tv; 229 struct listener *s_l; 230 void *s_ssl; 231 unsigned char *s_buf; 232 int s_buflen; 233 unsigned int s_flags; 234 }; 235 TAILQ_HEAD(conn_list, conn) conn_list; 236 237 struct ssl { 238 SPLAY_ENTRY(ssl) ssl_nodes; 239 char ssl_name[PATH_MAX]; 240 char *ssl_cert; 241 off_t ssl_cert_len; 242 char *ssl_key; 243 off_t ssl_key_len; 244 uint8_t flags; 245 }; 246 247 struct ldapd_config 248 { 249 struct namespace_list namespaces; 250 struct listenerlist listeners; 251 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 252 struct referrals referrals; 253 struct acl acl; 254 struct schema *schema; 255 char *rootdn; 256 char *rootpw; 257 }; 258 259 struct ldapd_stats 260 { 261 time_t started_at; /* time of daemon startup */ 262 unsigned long long requests; /* total number of requests */ 263 unsigned long long req_search; /* search requests */ 264 unsigned long long req_bind; /* bind requests */ 265 unsigned long long req_mod; /* add/mod/del requests */ 266 unsigned long long timeouts; /* search timeouts */ 267 unsigned long long unindexed; /* unindexed searches */ 268 unsigned int conns; /* active connections */ 269 unsigned int searches; /* active searches */ 270 }; 271 272 struct auth_req 273 { 274 int fd; 275 long long msgid; 276 char name[128]; 277 char password[128]; 278 }; 279 280 struct auth_res 281 { 282 int ok; 283 int fd; 284 long long msgid; 285 }; 286 287 struct open_req { 288 char path[MAXPATHLEN+1]; 289 unsigned int rdonly; 290 }; 291 292 enum imsg_type { 293 IMSG_NONE, 294 IMSG_CTL_OK, 295 IMSG_CTL_FAIL, 296 IMSG_CTL_END, 297 IMSG_CTL_STATS, 298 IMSG_CTL_NSSTATS, 299 IMSG_CTL_LOG_VERBOSE, 300 301 IMSG_LDAPD_AUTH, 302 IMSG_LDAPD_AUTH_RESULT, 303 IMSG_LDAPD_OPEN, 304 IMSG_LDAPD_OPEN_RESULT, 305 }; 306 307 struct ns_stat { 308 char suffix[256]; 309 struct btree_stat data_stat; 310 struct btree_stat indx_stat; 311 }; 312 313 struct ctl_conn { 314 TAILQ_ENTRY(ctl_conn) entry; 315 u_int8_t flags; 316 #define CTL_CONN_NOTIFY 0x01 317 #define CTL_CONN_LOCKED 0x02 /* restricted mode */ 318 struct imsgev iev; 319 }; 320 TAILQ_HEAD(ctl_connlist, ctl_conn); 321 extern struct ctl_connlist ctl_conns; 322 323 324 struct control_sock { 325 const char *cs_name; 326 struct event cs_ev; 327 struct event cs_evt; 328 int cs_fd; 329 int cs_restricted; 330 }; 331 332 /* ldapd.c */ 333 extern struct ldapd_stats stats; 334 extern struct ldapd_config *conf; 335 336 void fd_nonblock(int fd); 337 void imsg_event_add(struct imsgev *iev); 338 int imsg_compose_event(struct imsgev *iev, u_int16_t type, 339 u_int32_t peerid, pid_t pid, int fd, void *data, 340 u_int16_t datalen); 341 int imsg_event_handle(struct imsgev *iev, short event); 342 343 /* conn.c */ 344 extern struct conn_list conn_list; 345 struct conn *conn_by_fd(int fd); 346 void conn_read(struct bufferevent *bev, void *data); 347 void conn_write(struct bufferevent *bev, void *data); 348 void conn_err(struct bufferevent *bev, short w, void *data); 349 void conn_accept(int fd, short why, void *data); 350 void conn_close(struct conn *conn); 351 int conn_close_any(void); 352 void conn_disconnect(struct conn *conn); 353 void request_dispatch(struct request *req); 354 void request_free(struct request *req); 355 356 /* ldape.c */ 357 pid_t ldape(struct passwd *pw, char *csockpath, 358 int pipe_parent2ldap[2]); 359 int ldap_abandon(struct request *req); 360 int ldap_unbind(struct request *req); 361 int ldap_compare(struct request *req); 362 int ldap_extended(struct request *req); 363 364 void send_ldap_result(struct conn *conn, int msgid, 365 unsigned long type, long long result_code); 366 int ldap_respond(struct request *req, int code); 367 int ldap_refer(struct request *req, const char *basedn, 368 struct search *search, struct referrals *refs); 369 370 /* namespace.c 371 */ 372 struct namespace *namespace_new(const char *suffix); 373 int namespace_open(struct namespace *ns); 374 int namespace_reopen_data(struct namespace *ns); 375 int namespace_reopen_indx(struct namespace *ns); 376 int namespace_set_data_fd(struct namespace *ns, int fd); 377 int namespace_set_indx_fd(struct namespace *ns, int fd); 378 struct namespace *namespace_init(const char *suffix, const char *dir); 379 void namespace_close(struct namespace *ns); 380 void namespace_remove(struct namespace *ns); 381 struct ber_element *namespace_get(struct namespace *ns, char *dn); 382 int namespace_exists(struct namespace *ns, char *dn); 383 int namespace_add(struct namespace *ns, char *dn, 384 struct ber_element *root); 385 int namespace_update(struct namespace *ns, char *dn, 386 struct ber_element *root); 387 int namespace_del(struct namespace *ns, char *dn); 388 struct namespace *namespace_lookup_base(const char *basedn, 389 int include_referrals); 390 struct namespace *namespace_for_base(const char *basedn); 391 int namespace_has_referrals(struct namespace *ns); 392 struct referrals *namespace_referrals(const char *basedn); 393 int namespace_has_index(struct namespace *ns, 394 const char *attr, enum index_type type); 395 int namespace_begin_txn(struct namespace *ns, 396 struct btree_txn **data_txn, 397 struct btree_txn **indx_txn, int rdonly); 398 int namespace_begin(struct namespace *ns); 399 int namespace_commit(struct namespace *ns); 400 void namespace_abort(struct namespace *ns); 401 int namespace_queue_request(struct namespace *ns, 402 struct request *req); 403 void namespace_queue_schedule(struct namespace *ns, 404 unsigned int usec); 405 void namespace_cancel_conn(struct conn *conn); 406 int namespace_conn_queue_count(struct conn *conn); 407 408 int namespace_ber2db(struct namespace *ns, 409 struct ber_element *root, struct btval *val); 410 struct ber_element *namespace_db2ber(struct namespace *ns, 411 struct btval *val); 412 413 /* attributes.c */ 414 struct ber_element *ldap_get_attribute(struct ber_element *root, 415 const char *attr); 416 struct ber_element *ldap_find_attribute(struct ber_element *entry, 417 struct attr_type *at); 418 struct ber_element *ldap_find_value(struct ber_element *elm, 419 const char *value); 420 struct ber_element *ldap_add_attribute(struct ber_element *root, 421 const char *attr, struct ber_element *vals); 422 int ldap_set_values(struct ber_element *elm, 423 struct ber_element *vals); 424 int ldap_merge_values(struct ber_element *elm, 425 struct ber_element *vals); 426 int ldap_del_attribute(struct ber_element *entry, 427 const char *attrdesc); 428 int ldap_del_values(struct ber_element *elm, 429 struct ber_element *vals); 430 char *ldap_strftime(time_t tm); 431 char *ldap_now(void); 432 433 /* control.c */ 434 void control_init(struct control_sock *); 435 void control_listen(struct control_sock *); 436 void control_accept(int, short, void *); 437 void control_dispatch_imsg(int, short, void *); 438 void control_cleanup(struct control_sock *); 439 int control_close_any(struct control_sock *); 440 441 /* filter.c */ 442 int ldap_matches_filter(struct ber_element *root, 443 struct plan *plan); 444 445 /* search.c */ 446 int ldap_search(struct request *req); 447 void conn_search(struct search *search); 448 void search_close(struct search *search); 449 int is_child_of(struct btval *key, const char *base); 450 451 /* modify.c */ 452 int ldap_add(struct request *req); 453 int ldap_delete(struct request *req); 454 int ldap_modify(struct request *req); 455 456 /* auth.c */ 457 extern struct imsgev *iev_ldapd; 458 int ldap_bind(struct request *req); 459 void ldap_bind_continue(struct conn *conn, int ok); 460 int authorized(struct conn *conn, struct namespace *ns, 461 int rights, char *dn, int scope); 462 463 /* parse.y */ 464 int parse_config(char *filename); 465 int cmdline_symset(char *s); 466 467 /* log.c */ 468 void log_init(int); 469 void log_verbose(int v); 470 void vlog(int, const char *, va_list); 471 void logit(int pri, const char *fmt, ...); 472 void log_warn(const char *, ...); 473 void log_warnx(const char *, ...); 474 void log_info(const char *, ...); 475 void log_debug(const char *, ...); 476 __dead void fatal(const char *); 477 __dead void fatalx(const char *); 478 const char *print_host(struct sockaddr_storage *ss, char *buf, 479 size_t len); 480 void hexdump(void *data, size_t len, const char *fmt, ...); 481 void ldap_debug_elements(struct ber_element *root, 482 int context, const char *fmt, ...); 483 484 /* util.c */ 485 int bsnprintf(char *str, size_t size, 486 const char *format, ...); 487 int has_suffix(struct btval *key, const char *suffix); 488 int has_prefix(struct btval *key, const char *prefix); 489 void normalize_dn(char *dn); 490 int ber2db(struct ber_element *root, struct btval *val, 491 int compression_level); 492 struct ber_element *db2ber(struct btval *val, int compression_level); 493 int accept_reserve(int sockfd, struct sockaddr *addr, 494 socklen_t *addrlen, int reserve); 495 496 /* index.c */ 497 int index_entry(struct namespace *ns, struct btval *dn, 498 struct ber_element *elm); 499 int unindex_entry(struct namespace *ns, struct btval *dn, 500 struct ber_element *elm); 501 int index_to_dn(struct namespace *ns, struct btval *indx, 502 struct btval *dn); 503 504 /* ssl.c */ 505 void ssl_init(void); 506 void ssl_transaction(struct conn *); 507 508 void ssl_session_init(struct conn *); 509 void ssl_session_destroy(struct conn *); 510 int ssl_load_certfile(struct ldapd_config *, const char *, u_int8_t); 511 void ssl_setup(struct ldapd_config *, struct listener *); 512 int ssl_cmp(struct ssl *, struct ssl *); 513 SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 514 515 /* ssl_privsep.c */ 516 int ssl_ctx_use_private_key(void *, char *, off_t); 517 int ssl_ctx_use_certificate_chain(void *, char *, off_t); 518 519 /* validate.c */ 520 int validate_entry(const char *dn, struct ber_element *entry, int relax); 521 522 #endif /* _LDAPD_H */ 523 524