auth_ldap: added logging
whitespace changes (stinkin windows newline chars)
This commit is contained in:
Matt Simerson
Robert
parent
35f26c23bb
commit
319391affe
@ -78,14 +78,21 @@ Please see the LICENSE file included with qpsmtpd for details.
|
|||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
use Net::LDAP qw(:all);
|
||||||
|
use Qpsmtpd::Constants;
|
||||||
|
|
||||||
sub register {
|
sub register {
|
||||||
my ($self, $qp, @args) = @_;
|
my ($self, $qp, @args) = @_;
|
||||||
|
|
||||||
$self->register_hook("auth-plain", "authldap");
|
$self->register_hook("auth-plain", "authldap");
|
||||||
$self->register_hook("auth-login", "authldap");
|
$self->register_hook("auth-login", "authldap");
|
||||||
|
|
||||||
# pull config defaults in from file
|
# pull config defaults in from file
|
||||||
%{ $self->{"ldconf"} } = map { (split /\s+/, $_, 2)[0,1] } $self->qp->config('ldap');
|
%{$self->{"ldconf"}} =
|
||||||
|
map { (split /\s+/, $_, 2)[0, 1] } $self->qp->config('ldap');
|
||||||
|
|
||||||
# override ldap config defaults with plugin args
|
# override ldap config defaults with plugin args
|
||||||
for my $ldap_arg (@args) {
|
for my $ldap_arg (@args) {
|
||||||
@ -96,13 +103,15 @@ sub register {
|
|||||||
my $ldhost = $self->{"ldconf"}->{'ldap_host'};
|
my $ldhost = $self->{"ldconf"}->{'ldap_host'};
|
||||||
my $ldport = $self->{"ldconf"}->{'ldap_port'};
|
my $ldport = $self->{"ldconf"}->{'ldap_port'};
|
||||||
if (($ldhost) && ($ldhost =~ m/^(([a-z0-9]+\.?)+)$/)) {
|
if (($ldhost) && ($ldhost =~ m/^(([a-z0-9]+\.?)+)$/)) {
|
||||||
$self->{"ldconf"}->{'ldap_host'} = $1
|
$self->{"ldconf"}->{'ldap_host'} = $1;
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
undef $self->{"ldconf"}->{'ldap_host'};
|
undef $self->{"ldconf"}->{'ldap_host'};
|
||||||
}
|
}
|
||||||
if (($ldport) && ($ldport =~ m/^(\d+)$/)) {
|
if (($ldport) && ($ldport =~ m/^(\d+)$/)) {
|
||||||
$self->{"ldconf"}->{'ldap_port'} = $1
|
$self->{"ldconf"}->{'ldap_port'} = $1;
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
undef $self->{"ldconf"}->{'ldap_port'};
|
undef $self->{"ldconf"}->{'ldap_port'};
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -114,9 +123,6 @@ sub register {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub authldap {
|
sub authldap {
|
||||||
use Net::LDAP qw(:all);
|
|
||||||
use Qpsmtpd::Constants;
|
|
||||||
|
|
||||||
my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
|
my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
|
||||||
@_;
|
@_;
|
||||||
my ($ldhost, $ldport, $ldwait, $ldbase, $ldmattr, $lduserdn, $ldh, $mesg);
|
my ($ldhost, $ldport, $ldwait, $ldbase, $ldmattr, $lduserdn, $ldh, $mesg);
|
||||||
@ -128,65 +134,64 @@ sub authldap {
|
|||||||
|
|
||||||
# log error here and DECLINE if no baseDN, because a custom baseDN is required:
|
# log error here and DECLINE if no baseDN, because a custom baseDN is required:
|
||||||
unless ($ldbase) {
|
unless ($ldbase) {
|
||||||
$self->log(LOGERROR, "authldap/$method - please configure ldap_base" ) &&
|
$self->log(LOGERROR, "skip: please configure ldap_base");
|
||||||
return ( DECLINED, "authldap/$method - temporary auth error" );
|
return (DECLINED, "authldap - temporary auth error");
|
||||||
}
|
};
|
||||||
$ldwait = $self->{"ldconf"}->{'ldap_timeout'};
|
$ldwait = $self->{"ldconf"}->{'ldap_timeout'};
|
||||||
$ldmattr = $self->{"ldconf"}->{'ldap_auth_filter_attr'};
|
$ldmattr = $self->{"ldconf"}->{'ldap_auth_filter_attr'};
|
||||||
|
|
||||||
my ($pw_name, $pw_domain) = split "@", lc($user);
|
my ($pw_name, $pw_domain) = split "@", lc($user);
|
||||||
|
|
||||||
# find dn of user matching supplied username
|
# find dn of user matching supplied username
|
||||||
$ldh = Net::LDAP->new($ldhost, port=>$ldport, timeout=>$ldwait ) or
|
$ldh = Net::LDAP->new($ldhost, port => $ldport, timeout => $ldwait) or do {
|
||||||
$self->log(LOGALERT, "authldap/$method - error in initial conn" ) &&
|
$self->log(LOGALERT, "skip: error in initial conn");
|
||||||
return ( DECLINED, "authldap/$method - temporary auth error" );
|
return (DECLINED, "authldap - temporary auth error");
|
||||||
|
};
|
||||||
|
|
||||||
# find the user's DN
|
# find the user's DN
|
||||||
$mesg = $ldh->search(
|
$mesg = $ldh->search( base => $ldbase,
|
||||||
base=>$ldbase,
|
|
||||||
scope => 'sub',
|
scope => 'sub',
|
||||||
filter => "$ldmattr=$pw_name",
|
filter => "$ldmattr=$pw_name",
|
||||||
attrs => ['uid'],
|
attrs => ['uid'],
|
||||||
timeout => $ldwait,
|
timeout => $ldwait,
|
||||||
sizelimit=>'1') or
|
sizelimit => '1'
|
||||||
$self->log(LOGALERT, "authldap/$method - err in search for user" ) &&
|
) or do {
|
||||||
return ( DECLINED, "authldap/$method - temporary auth error" );
|
$self->log(LOGALERT, "skip: err in search for user");
|
||||||
|
return (DECLINED, "authldap - temporary auth error");
|
||||||
|
};
|
||||||
|
|
||||||
# deal with errors if they exist
|
# deal with errors if they exist
|
||||||
if ($mesg->code) {
|
if ($mesg->code) {
|
||||||
$self->log(LOGALERT, "authldap/$method - err " . $mesg->code . " in search for user" );
|
$self->log(LOGALERT, "skip: err " . $mesg->code . " in search for user");
|
||||||
return ( DECLINED, "authldap/$method - temporary auth error" );
|
return (DECLINED, "authldap - temporary auth error");
|
||||||
}
|
}
|
||||||
|
|
||||||
# unbind, so as to allow a rebind below
|
# unbind, so as to allow a rebind below
|
||||||
$ldh->unbind if ($ldh);
|
$ldh->unbind if $ldh;
|
||||||
|
|
||||||
# bind against directory as user with password supplied
|
# bind against directory as user with password supplied
|
||||||
if (($mesg->count) && ($lduserdn = $mesg->entry->dn)) {
|
if ( ! $mesg->count || $lduserdn = $mesg->entry->dn ) {
|
||||||
$ldh = Net::LDAP->new($ldhost, port=>$ldport, timeout=>$ldwait ) or
|
$self->log(LOGALERT, "fail: user not found");
|
||||||
$self->log(LOGALERT, "authldap/$method - err in user conn" ) &&
|
return (DECLINED, "authldap - wrong username or password");
|
||||||
return ( DECLINED, "authldap/$method - temporary auth error" );
|
};
|
||||||
|
|
||||||
|
$ldh = Net::LDAP->new($ldhost, port => $ldport, timeout => $ldwait) or do {
|
||||||
|
$self->log(LOGALERT, "skip: err in user conn");
|
||||||
|
return (DECLINED, "authldap - temporary auth error");
|
||||||
|
};
|
||||||
|
|
||||||
# here's the whole reason for the script
|
# here's the whole reason for the script
|
||||||
$mesg = $ldh->bind($lduserdn, password => $passClear, timeout => $ldwait);
|
$mesg = $ldh->bind($lduserdn, password => $passClear, timeout => $ldwait);
|
||||||
$ldh->unbind if ($ldh);
|
$ldh->unbind if $ldh;
|
||||||
|
|
||||||
# deal with errors if they exist, or allow success
|
# deal with errors if they exist, or allow success
|
||||||
if ($mesg->code) {
|
if ($mesg->code) {
|
||||||
$self->log(LOGALERT, "authldap/$method - error in user bind" );
|
$self->log(LOGALERT, "fail: error in user bind");
|
||||||
return ( DECLINED, "authldap/$method - wrong username or password" );
|
return (DECLINED, "authldap - wrong username or password");
|
||||||
} else {
|
|
||||||
$self->log( LOGINFO, "authldap/$method - $user auth success" );
|
|
||||||
$self->log( LOGDEBUG, "authldap/$method - user: $user, pass: $passClear" );
|
|
||||||
return ( OK, "authldap/$method" );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# if the plugin couldn't find user's entry
|
$self->log(LOGINFO, "pass: $user auth success");
|
||||||
} else {
|
$self->log(LOGDEBUG, "user: $user, pass: $passClear");
|
||||||
$self->log(LOGALERT, "authldap/$method - user not found" ) &&
|
return (OK, "authldap");
|
||||||
return ( DECLINED, "authldap/$method - wrong username or password" );
|
|
||||||
}
|
|
||||||
|
|
||||||
$ldh->disconnect;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user