1 /* $OpenBSD: ldapd.h,v 1.21 2010/11/10 08:00:54 martinh Exp $ */ 2 3 /* 4 * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef _LDAPD_H 20 #define _LDAPD_H 21 22 #include <sys/queue.h> 23 #include <sys/socket.h> 24 #include <sys/tree.h> 25 #include <sys/types.h> 26 #include <sys/uio.h> 27 #include <sys/param.h> 28 29 #include <event.h> 30 #include <imsg.h> 31 #include <limits.h> 32 #include <pwd.h> 33 #include <stdarg.h> 34 35 #include "aldap.h" 36 #include "schema.h" 37 #include "btree.h" 38 #include "imsgev.h" 39 40 #define CONFFILE "/etc/ldapd.conf" 41 #define LDAPD_USER "_ldapd" 42 #define LDAPD_SOCKET "/var/run/ldapd.sock" 43 #define DATADIR "/var/db/ldap" 44 #define LDAP_PORT 389 45 #define LDAPS_PORT 636 46 #define LDAPD_SESSION_TIMEOUT 30 47 #define MAX_LISTEN 64 48 49 #define F_STARTTLS 0x01 50 #define F_LDAPS 0x02 51 #define F_SSL (F_LDAPS|F_STARTTLS) 52 53 #define F_SECURE 0x04 54 55 #define F_SCERT 0x01 56 57 struct conn; 58 59 struct aci { 60 SIMPLEQ_ENTRY(aci) entry; 61 #define ACI_DENY 0 62 #define ACI_ALLOW 1 63 int type; 64 #define ACI_READ 0x01 65 #define ACI_WRITE 0x02 66 #define ACI_COMPARE 0x04 67 #define ACI_CREATE 0x08 68 #define ACI_BIND 0x10 69 #define ACI_ALL 0x1F 70 int rights; 71 enum scope scope; /* base, onelevel or subtree */ 72 char *attribute; 73 char *target; 74 char *subject; 75 char *filter; 76 }; 77 SIMPLEQ_HEAD(acl, aci); 78 79 /* An LDAP request. 80 */ 81 struct request { 82 TAILQ_ENTRY(request) next; 83 unsigned long type; 84 long long msgid; 85 struct ber_element *root; 86 struct ber_element *op; 87 struct conn *conn; 88 int replayed; /* true if replayed request */ 89 }; 90 TAILQ_HEAD(request_queue, request); 91 92 enum index_type { 93 INDEX_NONE, 94 INDEX_EQUAL = 1, 95 INDEX_APPROX = 1, 96 INDEX_PRESENCE = 1, 97 INDEX_SUBSTR 98 }; 99 100 struct attr_index { 101 TAILQ_ENTRY(attr_index) next; 102 char *attr; 103 enum index_type type; 104 }; 105 TAILQ_HEAD(attr_index_list, attr_index); 106 107 struct referral { 108 SLIST_ENTRY(referral) next; 109 char *url; 110 }; 111 SLIST_HEAD(referrals, referral); 112 113 struct namespace { 114 TAILQ_ENTRY(namespace) next; 115 char *suffix; 116 struct referrals referrals; 117 char *rootdn; 118 char *rootpw; 119 char *data_path; 120 char *indx_path; 121 struct btree *data_db; 122 struct btree *indx_db; 123 struct btree_txn *data_txn; 124 struct btree_txn *indx_txn; 125 int sync; /* 1 = fsync after commit */ 126 struct attr_index_list indices; 127 unsigned int cache_size; 128 unsigned int index_cache_size; 129 struct request_queue request_queue; 130 struct event ev_queue; 131 unsigned int queued_requests; 132 struct acl acl; 133 int relax; /* relax schema validation */ 134 int compression_level; /* 0-9, 0 = disabled */ 135 }; 136 137 TAILQ_HEAD(namespace_list, namespace); 138 139 struct index 140 { 141 TAILQ_ENTRY(index) next; 142 char *prefix; 143 }; 144 145 /* A query plan. 146 */ 147 struct plan 148 { 149 TAILQ_ENTRY(plan) next; 150 TAILQ_HEAD(, plan) args; 151 TAILQ_HEAD(, index) indices; 152 struct attr_type *at; 153 char *adesc; 154 union { 155 char *value; 156 struct ber_element *substring; 157 } assert; 158 int op; 159 int indexed; 160 int undefined; 161 }; 162 163 /* For OR filters using multiple indices, matches are not unique. Remember 164 * all DNs sent to the client to make them unique. 165 */ 166 struct uniqdn { 167 RB_ENTRY(uniqdn) link; 168 struct btval key; 169 }; 170 RB_HEAD(dn_tree, uniqdn); 171 RB_PROTOTYPE(dn_tree, uniqdn, link, uniqdn_cmp); 172 173 /* An LDAP search request. 174 */ 175 struct search { 176 TAILQ_ENTRY(search) next; 177 int init; /* 1 if cursor initiated */ 178 struct conn *conn; 179 struct request *req; 180 struct namespace *ns; 181 struct btree_txn *data_txn; 182 struct btree_txn *indx_txn; 183 struct cursor *cursor; 184 unsigned int nscanned, nmatched, ndups; 185 time_t started_at; 186 long long szlim, tmlim; /* size and time limits */ 187 int typesonly; /* not implemented */ 188 long long scope; 189 long long deref; /* not implemented */ 190 char *basedn; 191 struct ber_element *filter, *attrlist; 192 struct plan *plan; 193 struct index *cindx; /* current index */ 194 struct dn_tree uniqdns; 195 }; 196 197 struct listener { 198 unsigned int flags; /* F_STARTTLS or F_LDAPS */ 199 struct sockaddr_storage ss; 200 int port; 201 int fd; 202 struct event ev; 203 char ssl_cert_name[PATH_MAX]; 204 struct ssl *ssl; 205 void *ssl_ctx; 206 TAILQ_ENTRY(listener) entry; 207 }; 208 TAILQ_HEAD(listenerlist, listener); 209 210 /* An LDAP client connection. 211 */ 212 struct conn 213 { 214 TAILQ_ENTRY(conn) next; 215 int fd; 216 struct bufferevent *bev; 217 struct ber ber; 218 int disconnect; 219 struct request *bind_req; /* ongoing bind request */ 220 char *binddn; 221 char *pending_binddn; 222 TAILQ_HEAD(, search) searches; 223 struct listener *listener; /* where it connected from */ 224 225 /* SSL support */ 226 struct event s_ev; 227 struct timeval s_tv; 228 struct listener *s_l; 229 void *s_ssl; 230 unsigned char *s_buf; 231 int s_buflen; 232 unsigned int s_flags; 233 }; 234 TAILQ_HEAD(conn_list, conn) conn_list; 235 236 struct ssl { 237 SPLAY_ENTRY(ssl) ssl_nodes; 238 char ssl_name[PATH_MAX]; 239 char *ssl_cert; 240 off_t ssl_cert_len; 241 char *ssl_key; 242 off_t ssl_key_len; 243 uint8_t flags; 244 }; 245 246 struct ldapd_config 247 { 248 struct namespace_list namespaces; 249 struct listenerlist listeners; 250 SPLAY_HEAD(ssltree, ssl) *sc_ssl; 251 struct referrals referrals; 252 struct acl acl; 253 struct schema *schema; 254 char *rootdn; 255 char *rootpw; 256 }; 257 258 struct ldapd_stats 259 { 260 time_t started_at; /* time of daemon startup */ 261 unsigned long long requests; /* total number of requests */ 262 unsigned long long req_search; /* search requests */ 263 unsigned long long req_bind; /* bind requests */ 264 unsigned long long req_mod; /* add/mod/del requests */ 265 unsigned long long timeouts; /* search timeouts */ 266 unsigned long long unindexed; /* unindexed searches */ 267 unsigned int conns; /* active connections */ 268 unsigned int searches; /* active searches */ 269 }; 270 271 struct auth_req 272 { 273 int fd; 274 long long msgid; 275 char name[128]; 276 char password[128]; 277 }; 278 279 struct auth_res 280 { 281 int ok; 282 int fd; 283 long long msgid; 284 }; 285 286 struct open_req { 287 char path[MAXPATHLEN+1]; 288 unsigned int rdonly; 289 }; 290 291 enum imsg_type { 292 IMSG_NONE, 293 IMSG_CTL_OK, 294 IMSG_CTL_FAIL, 295 IMSG_CTL_END, 296 IMSG_CTL_STATS, 297 IMSG_CTL_NSSTATS, 298 IMSG_CTL_LOG_VERBOSE, 299 300 IMSG_LDAPD_AUTH, 301 IMSG_LDAPD_AUTH_RESULT, 302 IMSG_LDAPD_OPEN, 303 IMSG_LDAPD_OPEN_RESULT, 304 }; 305 306 struct ns_stat { 307 char suffix[256]; 308 struct btree_stat data_stat; 309 struct btree_stat indx_stat; 310 }; 311 312 struct ctl_conn { 313 TAILQ_ENTRY(ctl_conn) entry; 314 u_int8_t flags; 315 #define CTL_CONN_NOTIFY 0x01 316 #define CTL_CONN_LOCKED 0x02 /* restricted mode */ 317 struct imsgev iev; 318 }; 319 TAILQ_HEAD(ctl_connlist, ctl_conn); 320 extern struct ctl_connlist ctl_conns; 321 322 323 struct control_sock { 324 const char *cs_name; 325 struct event cs_ev; 326 int cs_fd; 327 int cs_restricted; 328 }; 329 330 /* ldapd.c */ 331 extern struct ldapd_stats stats; 332 extern struct ldapd_config *conf; 333 334 void fd_nonblock(int fd); 335 void imsg_event_add(struct imsgev *iev); 336 int imsg_compose_event(struct imsgev *iev, u_int16_t type, 337 u_int32_t peerid, pid_t pid, int fd, void *data, 338 u_int16_t datalen); 339 int imsg_event_handle(struct imsgev *iev, short event); 340 341 /* conn.c */ 342 extern struct conn_list conn_list; 343 struct conn *conn_by_fd(int fd); 344 void conn_read(struct bufferevent *bev, void *data); 345 void conn_write(struct bufferevent *bev, void *data); 346 void conn_err(struct bufferevent *bev, short w, void *data); 347 void conn_accept(int fd, short why, void *data); 348 void conn_close(struct conn *conn); 349 void conn_disconnect(struct conn *conn); 350 void request_dispatch(struct request *req); 351 void request_free(struct request *req); 352 353 /* ldape.c */ 354 pid_t ldape(struct passwd *pw, char *csockpath, 355 int pipe_parent2ldap[2]); 356 int ldap_abandon(struct request *req); 357 int ldap_unbind(struct request *req); 358 int ldap_compare(struct request *req); 359 int ldap_extended(struct request *req); 360 361 void send_ldap_result(struct conn *conn, int msgid, 362 unsigned long type, long long result_code); 363 int ldap_respond(struct request *req, int code); 364 int ldap_refer(struct request *req, const char *basedn, 365 struct search *search, struct referrals *refs); 366 367 /* namespace.c 368 */ 369 struct namespace *namespace_new(const char *suffix); 370 int namespace_open(struct namespace *ns); 371 int namespace_reopen_data(struct namespace *ns); 372 int namespace_reopen_indx(struct namespace *ns); 373 int namespace_set_data_fd(struct namespace *ns, int fd); 374 int namespace_set_indx_fd(struct namespace *ns, int fd); 375 struct namespace *namespace_init(const char *suffix, const char *dir); 376 void namespace_close(struct namespace *ns); 377 void namespace_remove(struct namespace *ns); 378 struct ber_element *namespace_get(struct namespace *ns, char *dn); 379 int namespace_exists(struct namespace *ns, char *dn); 380 int namespace_add(struct namespace *ns, char *dn, 381 struct ber_element *root); 382 int namespace_update(struct namespace *ns, char *dn, 383 struct ber_element *root); 384 int namespace_del(struct namespace *ns, char *dn); 385 struct namespace *namespace_lookup_base(const char *basedn, 386 int include_referrals); 387 struct namespace *namespace_for_base(const char *basedn); 388 int namespace_has_referrals(struct namespace *ns); 389 struct referrals *namespace_referrals(const char *basedn); 390 int namespace_has_index(struct namespace *ns, 391 const char *attr, enum index_type type); 392 int namespace_begin_txn(struct namespace *ns, 393 struct btree_txn **data_txn, 394 struct btree_txn **indx_txn, int rdonly); 395 int namespace_begin(struct namespace *ns); 396 int namespace_commit(struct namespace *ns); 397 void namespace_abort(struct namespace *ns); 398 int namespace_queue_request(struct namespace *ns, 399 struct request *req); 400 void namespace_queue_schedule(struct namespace *ns, 401 unsigned int usec); 402 void namespace_cancel_conn(struct conn *conn); 403 404 int namespace_ber2db(struct namespace *ns, 405 struct ber_element *root, struct btval *val); 406 struct ber_element *namespace_db2ber(struct namespace *ns, 407 struct btval *val); 408 409 /* attributes.c */ 410 struct ber_element *ldap_get_attribute(struct ber_element *root, 411 const char *attr); 412 struct ber_element *ldap_find_attribute(struct ber_element *entry, 413 struct attr_type *at); 414 struct ber_element *ldap_find_value(struct ber_element *elm, 415 const char *value); 416 struct ber_element *ldap_add_attribute(struct ber_element *root, 417 const char *attr, struct ber_element *vals); 418 int ldap_set_values(struct ber_element *elm, 419 struct ber_element *vals); 420 int ldap_merge_values(struct ber_element *elm, 421 struct ber_element *vals); 422 int ldap_del_attribute(struct ber_element *entry, 423 const char *attrdesc); 424 int ldap_del_values(struct ber_element *elm, 425 struct ber_element *vals); 426 char *ldap_strftime(time_t tm); 427 char *ldap_now(void); 428 429 /* control.c */ 430 void control_init(struct control_sock *); 431 void control_listen(struct control_sock *); 432 void control_accept(int, short, void *); 433 void control_dispatch_imsg(int, short, void *); 434 void control_cleanup(struct control_sock *); 435 436 /* filter.c */ 437 int ldap_matches_filter(struct ber_element *root, 438 struct plan *plan); 439 440 /* search.c */ 441 int ldap_search(struct request *req); 442 void conn_search(struct search *search); 443 void search_close(struct search *search); 444 int is_child_of(struct btval *key, const char *base); 445 446 /* modify.c */ 447 int ldap_add(struct request *req); 448 int ldap_delete(struct request *req); 449 int ldap_modify(struct request *req); 450 451 /* auth.c */ 452 extern struct imsgev *iev_ldapd; 453 int ldap_bind(struct request *req); 454 void ldap_bind_continue(struct conn *conn, int ok); 455 int authorized(struct conn *conn, struct namespace *ns, 456 int rights, char *dn, int scope); 457 458 /* parse.y */ 459 int parse_config(char *filename); 460 int cmdline_symset(char *s); 461 462 /* log.c */ 463 void log_init(int); 464 void log_verbose(int v); 465 void vlog(int, const char *, va_list); 466 void logit(int pri, const char *fmt, ...); 467 void log_warn(const char *, ...); 468 void log_warnx(const char *, ...); 469 void log_info(const char *, ...); 470 void log_debug(const char *, ...); 471 __dead void fatal(const char *); 472 __dead void fatalx(const char *); 473 const char *print_host(struct sockaddr_storage *ss, char *buf, 474 size_t len); 475 void hexdump(void *data, size_t len, const char *fmt, ...); 476 void ldap_debug_elements(struct ber_element *root, 477 int context, const char *fmt, ...); 478 479 /* util.c */ 480 int bsnprintf(char *str, size_t size, 481 const char *format, ...); 482 int has_suffix(struct btval *key, const char *suffix); 483 int has_prefix(struct btval *key, const char *prefix); 484 void normalize_dn(char *dn); 485 int ber2db(struct ber_element *root, struct btval *val, 486 int compression_level); 487 struct ber_element *db2ber(struct btval *val, int compression_level); 488 489 /* index.c */ 490 int index_entry(struct namespace *ns, struct btval *dn, 491 struct ber_element *elm); 492 int unindex_entry(struct namespace *ns, struct btval *dn, 493 struct ber_element *elm); 494 int index_to_dn(struct namespace *ns, struct btval *indx, 495 struct btval *dn); 496 497 /* ssl.c */ 498 void ssl_init(void); 499 void ssl_transaction(struct conn *); 500 501 void ssl_session_init(struct conn *); 502 void ssl_session_destroy(struct conn *); 503 int ssl_load_certfile(struct ldapd_config *, const char *, u_int8_t); 504 void ssl_setup(struct ldapd_config *, struct listener *); 505 int ssl_cmp(struct ssl *, struct ssl *); 506 SPLAY_PROTOTYPE(ssltree, ssl, ssl_nodes, ssl_cmp); 507 508 /* ssl_privsep.c */ 509 int ssl_ctx_use_private_key(void *, char *, off_t); 510 int ssl_ctx_use_certificate_chain(void *, char *, off_t); 511 512 /* validate.c */ 513 int validate_entry(const char *dn, struct ber_element *entry, int relax); 514 515 #endif /* _LDAPD_H */ 516 517