mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

add (basic) support for {RADIUS} scheme; userPassword attributes prefixed with {RADIUS} are interpreted as RADIUS userids and authentication occurs contacting the configured RADIUS servers with that userid and the provided password (experimental; please report)

Browse Source
This commit is contained in:
Pierangelo Masarati 2006-05-12 12:03:05 +00:00
parent 4d46b8b747
commit f35a55398a
2 changed files with 132 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/slapd-modules/passwd/README
View File

@ -6,7 +6,7 @@ Public License.
This directory contains native slapd plugins for password mechanisms that This directory contains native slapd plugins for password mechanisms that
are not actively supported by the project. Currently this includes the are not actively supported by the project. Currently this includes the
Kerberos and Netscape MTA-MD5 password mechanisms. Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms.
To use the Kerberos plugin, add: To use the Kerberos plugin, add:
@ -20,6 +20,15 @@ moduleload pw-netscape.so
to your slapd configuration file. to your slapd configuration file.
To use the RADIUS plugin, add:
moduleload pw-radius.so
to your slapd configuration file; optionally, the path to a configuration
file can be appended in the form
moduleload pw-radius.so config="/etc/radius.conf"
No Makefile is provided. Use a command line similar to: No Makefile is provided. Use a command line similar to:
gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c
@ -32,3 +41,10 @@ The corresponding command for the Netscape plugin would be:
gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c
The corresponding command for the RADIUS plugin would be:
gcc -shared -I../../../include -Wall -g -o pw-radius.so radius.c -lradius
(Actually, you might want to statically link the RADIUS client library
libradius.a into the module).

115
contrib/slapd-modules/passwd/radius.c Normal file
View File

@ -0,0 +1,115 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#include <stdio.h>
#include <lber.h>
#include <lber_pvt.h> /* BER_BVC definition */
#include "lutil.h"
#include <ac/string.h>
#include <ac/unistd.h>
#include <radlib.h>
static LUTIL_PASSWD_CHK_FUNC chk_radius;
static const struct berval scheme = BER_BVC("{RADIUS}");
static char *config_filename;
static int
chk_radius(
const struct berval *sc,
const struct berval *passwd,
const struct berval *cred,
const char **text )
{
unsigned int i;
int rc = LUTIL_PASSWD_ERR;
struct rad_handle *h = NULL;
for ( i = 0; i < cred->bv_len; i++ ) {
if ( cred->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in cred */
}
}
if ( cred->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* cred must behave like a string */
}
for ( i = 0; i < passwd->bv_len; i++ ) {
if ( passwd->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in password */
}
}
if ( passwd->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
}
h = rad_auth_open();
if ( h == NULL ) {
return LUTIL_PASSWD_ERR;
}
if ( config_filename ) {
if ( rad_config( h, config_filename ) != 0 ) {
goto done;
}
}
if ( rad_create_request( h, RAD_ACCESS_REQUEST ) ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_NAME, passwd->bv_val ) != 0 ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_PASSWORD, cred->bv_val ) != 0 ) {
goto done;
}
if ( rad_send_request( h ) == RAD_ACCESS_ACCEPT ) {
rc = LUTIL_PASSWD_OK;
}
done:;
rad_close( h );
return rc;
}
int
init_module( int argc, char *argv[] )
{
int i;
for ( i = 0; i < argc; i++ ) {
if ( strncasecmp( argv[ i ], "config=", STRLENOF( "config=" ) ) == 0 ) {
/* FIXME: what if multiple loads of same module?
* does it make sense (e.g. override an existing one)? */
if ( config_filename == NULL ) {
config_filename = ber_strdup( &argv[ i ][ STRLENOF( "config=" ) ] );
}
} else {
fprintf( stderr, "init_module(radius): unknown arg#%d=\"%s\".\n",
i, argv[ i ] );
return 1;
}
}
return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL );
}