liquid_feedback_frontend
changeset 1640:15bde6a79d41
Added TLS support for ldap
author | bsw |
---|---|
date | Tue Feb 09 17:40:50 2021 +0100 (2021-02-09) |
parents | 0f42dbf74270 |
children | ab837b075cf7 45287f1037fb |
files | env/ldap/bind.lua lib/mldap/mldap.c |
line diff
1.1 --- a/env/ldap/bind.lua Tue Feb 09 17:40:05 2021 +0100 1.2 +++ b/env/ldap/bind.lua Tue Feb 09 17:40:50 2021 +0100 1.3 @@ -30,6 +30,7 @@ 1.4 local err, errno 1.5 ldap, err, errno = libldap.bind{ 1.6 uri = host.uri, 1.7 + tls = host.tls, 1.8 timeout = host.timeout, 1.9 who = dn, 1.10 password = password
2.1 --- a/lib/mldap/mldap.c Tue Feb 09 17:40:05 2021 +0100 2.2 +++ b/lib/mldap/mldap.c Tue Feb 09 17:40:50 2021 +0100 2.3 @@ -151,6 +151,51 @@ 2.4 } 2.5 2.6 2.7 +static bool mldap_get_named_boolean_arg( 2.8 + // gets a named argument of type "boolean" from a table at the given stack position 2.9 + 2.10 + lua_State *L, // pointer to lua_State variable 2.11 + int idx, // stack index of the table containing the named arguments 2.12 + const char *argname, // name of the argument 2.13 + int mandatory, // if not 0, then the argument is mandatory and an error is raised if it isn't found 2.14 + bool default_value // default value to return, if the argument is not mandatory and nil 2.15 + 2.16 + // opposed to 'mldap_get_named_string_arg', this function leaves no element on the stack 2.17 +) { 2.18 + 2.19 + bool value; // value to return 2.20 + 2.21 + // pushes the table entry with the given argument name on top of the stack: 2.22 + lua_getfield(L, idx, argname); 2.23 + 2.24 + // check, if the entry is nil: 2.25 + if (lua_isnil(L, -1)) { 2.26 + 2.27 + // throw error, if named argument is mandatory: 2.28 + if (mandatory) return luaL_error(L, "Named argument '%s' missing", argname), 0; 2.29 + 2.30 + // set default value as return value, if named argument is not mandatory: 2.31 + value = default_value; 2.32 + 2.33 + } else { 2.34 + 2.35 + // throw error, if the value of the argument is not a number: 2.36 + if (lua_type(L, -1) != LUA_TBOOLEAN) return luaL_error(L, "Named argument '%s' is not a boolean", argname), 0; 2.37 + 2.38 + // set return value to the number: 2.39 + value = lua_toboolean(L, -1); 2.40 + 2.41 + } 2.42 + 2.43 + // remove unnecessary element from stack (not needed to avoid garbage collection): 2.44 + lua_pop(L, 1); 2.45 + 2.46 + return value; 2.47 + 2.48 + // leaves no new elements on the stack 2.49 +} 2.50 + 2.51 + 2.52 static int mldap_scope( 2.53 // converts a string ("base", "onelevel", "subtree", "children") to an integer representing the LDAP scope 2.54 // and throws an error for any unknown string 2.55 @@ -183,9 +228,11 @@ 2.56 // "who" (string) DN to bind as 2.57 // "password" (string) password for DN to bind as 2.58 // "timeout" (number) timeout in seconds 2.59 + // "tls" (boolean) use TLS 2.60 2.61 static const int ldap_version = LDAP_VERSION3; // providing a pointer (&ldap_version) to set LDAP protocol version 3 2.62 const char *uri; // C string for "uri" argument 2.63 + bool tls; // boolean indicating if TLS is to be used 2.64 const char *who; // C string for "who" argument 2.65 struct berval cred; // credentials ("password") are stored as struct berval 2.66 lua_Number timeout_float; // float (lua_Number) for timeout 2.67 @@ -201,6 +248,7 @@ 2.68 2.69 // extract arguments: 2.70 uri = mldap_get_named_string_arg(L, 1, "uri", true); 2.71 + tls = mldap_get_named_boolean_arg(L, 1, "tls", false, false); 2.72 who = mldap_get_named_string_arg(L, 1, "who", false); 2.73 cred.bv_val = (char *)mldap_get_named_string_arg(L, 1, "password", false); 2.74 // use (char *) cast to suppress compiler warning (should be const anyway) 2.75 @@ -225,6 +273,12 @@ 2.76 // on error, jump to label "mldap_queryconn_error2", as ldap_unbind_ext_s() must be called: 2.77 if (ldap_error != LDAP_SUCCESS) goto mldap_queryconn_error2; 2.78 2.79 + // initiate TLS if requested 2.80 + if (tls) { 2.81 + ldap_error = ldap_start_tls_s(ldp, NULL, NULL); 2.82 + if (ldap_error != LDAP_SUCCESS) goto mldap_queryconn_error2; 2.83 + } 2.84 + 2.85 // connect to LDAP server: 2.86 ldap_error = ldap_sasl_bind_s( 2.87 ldp, // pointer to opaque OpenLDAP structure representing the connection