byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

auth_ldap: added logging

Browse Source 
whitespace changes (stinkin windows newline chars)
This commit is contained in:
Matt Simerson 2012-05-07 03:32:16 -04:00 committed by Robert
parent 35f26c23bb
commit 319391affe
1 changed files with 115 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
plugins/auth/auth_ldap_bind
View File

@ -78,115 +78,120 @@ Please see the LICENSE file included with qpsmtpd for details.
=cut =cut
use strict;
use warnings;
use Net::LDAP qw(:all);
use Qpsmtpd::Constants;
sub register { sub register {
my ( $self, $qp, @args ) = @_; my ($self, $qp, @args) = @_;
$self->register_hook( "auth-plain", "authldap" );
$self->register_hook( "auth-login", "authldap" );
# pull config defaults in from file $self->register_hook("auth-plain", "authldap");
%{ $self->{"ldconf"} } = map { (split /\s+/, $_, 2)[0,1] } $self->qp->config('ldap'); $self->register_hook("auth-login", "authldap");
# override ldap config defaults with plugin args # pull config defaults in from file
for my $ldap_arg (@args) { %{$self->{"ldconf"}} =
%{ $self->{"ldconf"} } = map { (split /\s+/, $_, 2)[0,1] } $ldap_arg; map { (split /\s+/, $_, 2)[0, 1] } $self->qp->config('ldap');
}
# do light validation of ldap_host and ldap_port to satisfy -T # override ldap config defaults with plugin args
my $ldhost = $self->{"ldconf"}->{'ldap_host'}; for my $ldap_arg (@args) {
my $ldport = $self->{"ldconf"}->{'ldap_port'}; %{$self->{"ldconf"}} = map { (split /\s+/, $_, 2)[0, 1] } $ldap_arg;
if (($ldhost) && ($ldhost =~ m/^(([a-z0-9]+\.?)+)$/)) { }
$self->{"ldconf"}->{'ldap_host'} = $1
} else {
undef $self->{"ldconf"}->{'ldap_host'};
}
if (($ldport) && ($ldport =~ m/^(\d+)$/)) {
$self->{"ldconf"}->{'ldap_port'} = $1
} else {
undef $self->{"ldconf"}->{'ldap_port'};
}
# set any values that are not already # do light validation of ldap_host and ldap_port to satisfy -T
$self->{"ldconf"}->{"ldap_host"} ||= "127.0.0.1"; my $ldhost = $self->{"ldconf"}->{'ldap_host'};
$self->{"ldconf"}->{"ldap_port"} ||= 389; my $ldport = $self->{"ldconf"}->{'ldap_port'};
$self->{"ldconf"}->{"ldap_timeout"} ||= 5; if (($ldhost) && ($ldhost =~ m/^(([a-z0-9]+\.?)+)$/)) {
$self->{"ldconf"}->{"ldap_auth_filter_attr"} ||= "uid"; $self->{"ldconf"}->{'ldap_host'} = $1;
}
else {
undef $self->{"ldconf"}->{'ldap_host'};
}
if (($ldport) && ($ldport =~ m/^(\d+)$/)) {
$self->{"ldconf"}->{'ldap_port'} = $1;
}
else {
undef $self->{"ldconf"}->{'ldap_port'};
}
# set any values that are not already
$self->{"ldconf"}->{"ldap_host"} ||= "127.0.0.1";
$self->{"ldconf"}->{"ldap_port"} ||= 389;
$self->{"ldconf"}->{"ldap_timeout"} ||= 5;
$self->{"ldconf"}->{"ldap_auth_filter_attr"} ||= "uid";
} }
sub authldap { sub authldap {
use Net::LDAP qw(:all); my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
use Qpsmtpd::Constants; @_;
my ($ldhost, $ldport, $ldwait, $ldbase, $ldmattr, $lduserdn, $ldh, $mesg);
my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) = # pull values in from config
@_; $ldhost = $self->{"ldconf"}->{"ldap_host"};
my ($ldhost, $ldport, $ldwait, $ldbase, $ldmattr, $lduserdn, $ldh, $mesg); $ldport = $self->{"ldconf"}->{"ldap_port"};
$ldbase = $self->{"ldconf"}->{"ldap_base"};
# pull values in from config # log error here and DECLINE if no baseDN, because a custom baseDN is required:
$ldhost = $self->{"ldconf"}->{"ldap_host"}; unless ($ldbase) {
$ldport = $self->{"ldconf"}->{"ldap_port"}; $self->log(LOGERROR, "skip: please configure ldap_base");
$ldbase = $self->{"ldconf"}->{"ldap_base"}; return (DECLINED, "authldap - temporary auth error");
};
$ldwait = $self->{"ldconf"}->{'ldap_timeout'};
$ldmattr = $self->{"ldconf"}->{'ldap_auth_filter_attr'};
# log error here and DECLINE if no baseDN, because a custom baseDN is required: my ($pw_name, $pw_domain) = split "@", lc($user);
unless ($ldbase) {
$self->log(LOGERROR, "authldap/$method - please configure ldap_base" ) &&
return ( DECLINED, "authldap/$method - temporary auth error" );
}
$ldwait = $self->{"ldconf"}->{'ldap_timeout'};
$ldmattr = $self->{"ldconf"}->{'ldap_auth_filter_attr'};
my ( $pw_name, $pw_domain ) = split "@", lc($user); # find dn of user matching supplied username
$ldh = Net::LDAP->new($ldhost, port => $ldport, timeout => $ldwait) or do {
$self->log(LOGALERT, "skip: error in initial conn");
return (DECLINED, "authldap - temporary auth error");
};
# find dn of user matching supplied username # find the user's DN
$ldh = Net::LDAP->new($ldhost, port=>$ldport, timeout=>$ldwait ) or $mesg = $ldh->search( base => $ldbase,
$self->log(LOGALERT, "authldap/$method - error in initial conn" ) && scope => 'sub',
return ( DECLINED, "authldap/$method - temporary auth error" ); filter => "$ldmattr=$pw_name",
attrs => ['uid'],
timeout => $ldwait,
sizelimit => '1'
) or do {
$self->log(LOGALERT, "skip: err in search for user");
return (DECLINED, "authldap - temporary auth error");
};
# find the user's DN # deal with errors if they exist
$mesg = $ldh->search( if ($mesg->code) {
base=>$ldbase, $self->log(LOGALERT, "skip: err " . $mesg->code . " in search for user");
scope=>'sub', return (DECLINED, "authldap - temporary auth error");
filter=>"$ldmattr=$pw_name",
attrs=>['uid'],
timeout=>$ldwait,
sizelimit=>'1') or
$self->log(LOGALERT, "authldap/$method - err in search for user" ) &&
return ( DECLINED, "authldap/$method - temporary auth error" );
# deal with errors if they exist
if ( $mesg->code ) {
$self->log(LOGALERT, "authldap/$method - err " . $mesg->code . " in search for user" );
return ( DECLINED, "authldap/$method - temporary auth error" );
}
# unbind, so as to allow a rebind below
$ldh->unbind if ($ldh);
# bind against directory as user with password supplied
if (($mesg->count) && ($lduserdn = $mesg->entry->dn)) {
$ldh = Net::LDAP->new($ldhost, port=>$ldport, timeout=>$ldwait ) or
$self->log(LOGALERT, "authldap/$method - err in user conn" ) &&
return ( DECLINED, "authldap/$method - temporary auth error" );
# here's the whole reason for the script
$mesg = $ldh->bind($lduserdn, password=>$passClear, timeout=>$ldwait);
$ldh->unbind if ($ldh);
# deal with errors if they exist, or allow success
if ( $mesg->code ) {
$self->log(LOGALERT, "authldap/$method - error in user bind" );
return ( DECLINED, "authldap/$method - wrong username or password" );
} else {
$self->log( LOGINFO, "authldap/$method - $user auth success" );
$self->log( LOGDEBUG, "authldap/$method - user: $user, pass: $passClear" );
return ( OK, "authldap/$method" );
} }
# if the plugin couldn't find user's entry # unbind, so as to allow a rebind below
} else { $ldh->unbind if $ldh;
$self->log(LOGALERT, "authldap/$method - user not found" ) &&
return ( DECLINED, "authldap/$method - wrong username or password" );
}
$ldh->disconnect; # bind against directory as user with password supplied
if ( ! $mesg->count || $lduserdn = $mesg->entry->dn ) {
$self->log(LOGALERT, "fail: user not found");
return (DECLINED, "authldap - wrong username or password");
};
$ldh = Net::LDAP->new($ldhost, port => $ldport, timeout => $ldwait) or do {
$self->log(LOGALERT, "skip: err in user conn");
return (DECLINED, "authldap - temporary auth error");
};
# here's the whole reason for the script
$mesg = $ldh->bind($lduserdn, password => $passClear, timeout => $ldwait);
$ldh->unbind if $ldh;
# deal with errors if they exist, or allow success
if ($mesg->code) {
$self->log(LOGALERT, "fail: error in user bind");
return (DECLINED, "authldap - wrong username or password");
}
$self->log(LOGINFO, "pass: $user auth success");
$self->log(LOGDEBUG, "user: $user, pass: $passClear");
return (OK, "authldap");
} }