ISC DHCP  4.4.2-P1
A reference DHCPv4 and DHCPv6 implementation
ldap.c
Go to the documentation of this file.
1 /* ldap.c
2 
3  Routines for reading the configuration from LDAP */
4 
5 /*
6  * Copyright (c) 2010-2019 by Internet Systems Consortium, Inc. ("ISC")
7  * Copyright (c) 2003-2006 Ntelos, Inc.
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  *
14  * 1. Redistributions of source code must retain the above copyright
15  * notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  * notice, this list of conditions and the following disclaimer in the
18  * documentation and/or other materials provided with the distribution.
19  * 3. Neither the name of The Internet Software Consortium nor the names
20  * of its contributors may be used to endorse or promote products derived
21  * from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
24  * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
26  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
27  * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
28  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
30  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
31  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
32  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
33  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
34  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  *
37  * This LDAP module was written by Brian Masney <masneyb@ntelos.net>. Its
38  * development was sponsored by Ntelos, Inc. (www.ntelos.com).
39  */
40 
41 #include "dhcpd.h"
42 #if defined(LDAP_CONFIGURATION)
43 #include <signal.h>
44 #include <errno.h>
45 #include <ctype.h>
46 #include <netdb.h>
47 #include <net/if.h>
48 #if defined(HAVE_IFADDRS_H)
49 #include <ifaddrs.h>
50 #endif
51 #include <string.h>
52 
53 #if defined(LDAP_CASA_AUTH)
54 #include "ldap_casa.h"
55 #endif
56 
57 #if defined(LDAP_USE_GSSAPI)
58 #include <sasl/sasl.h>
59 #include "ldap_krb_helper.h"
60 #endif
61 
62 static LDAP * ld = NULL;
63 static char *ldap_server = NULL,
64  *ldap_username = NULL,
65  *ldap_password = NULL,
66  *ldap_base_dn = NULL,
67  *ldap_dhcp_server_cn = NULL,
68  *ldap_debug_file = NULL;
69 static int ldap_port = LDAP_PORT,
70  ldap_method = LDAP_METHOD_DYNAMIC,
71  ldap_referrals = -1,
72  ldap_debug_fd = -1,
73  ldap_enable_retry = -1,
74  ldap_init_retry = -1;
75 #if defined (LDAP_USE_SSL)
76 static int ldap_use_ssl = -1, /* try TLS if possible */
77  ldap_tls_reqcert = -1,
78  ldap_tls_crlcheck = -1;
79 static char *ldap_tls_ca_file = NULL,
80  *ldap_tls_ca_dir = NULL,
81  *ldap_tls_cert = NULL,
82  *ldap_tls_key = NULL,
83  *ldap_tls_ciphers = NULL,
84  *ldap_tls_randfile = NULL;
85 #endif
86 
87 #if defined (LDAP_USE_GSSAPI)
88 static char *ldap_gssapi_keytab = NULL,
89  *ldap_gssapi_principal = NULL;
90 
91 struct ldap_sasl_instance {
92  char *sasl_mech;
93  char *sasl_realm;
94  char *sasl_authz_id;
95  char *sasl_authc_id;
96  char *sasl_password;
97 };
98 
99 static struct ldap_sasl_instance *ldap_sasl_inst = NULL;
100 
101 static int
102 _ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *sin) ;
103 #endif
104 
105 static struct ldap_config_stack *ldap_stack = NULL;
106 
107 typedef struct ldap_dn_node {
108  struct ldap_dn_node *next;
109  size_t refs;
110  char *dn;
111 } ldap_dn_node;
112 
113 static ldap_dn_node *ldap_service_dn_head = NULL;
114 static ldap_dn_node *ldap_service_dn_tail = NULL;
115 
116 static int ldap_read_function (struct parse *cfile);
117 
118 static struct parse *
119 x_parser_init(const char *name)
120 {
121  struct parse *cfile;
122  isc_result_t res;
123  char *inbuf;
124 
125  inbuf = dmalloc (LDAP_BUFFER_SIZE, MDL);
126  if (inbuf == NULL)
127  return NULL;
128 
129  cfile = (struct parse *) NULL;
130  res = new_parse (&cfile, -1, inbuf, LDAP_BUFFER_SIZE, name, 0);
131  if (res != ISC_R_SUCCESS)
132  {
133  dfree(inbuf, MDL);
134  return NULL;
135  }
136  /* the buffer is still empty */
137  cfile->bufsiz = LDAP_BUFFER_SIZE;
138  cfile->buflen = cfile->bufix = 0;
139  /* attach ldap read function */
140  cfile->read_function = ldap_read_function;
141  return cfile;
142 }
143 
144 static isc_result_t
145 x_parser_free(struct parse **cfile)
146 {
147  if (cfile && *cfile)
148  {
149  if ((*cfile)->inbuf)
150  dfree((*cfile)->inbuf, MDL);
151  (*cfile)->inbuf = NULL;
152  (*cfile)->bufsiz = 0;
153  return end_parse(cfile);
154  }
155  return ISC_R_SUCCESS;
156 }
157 
158 static int
159 x_parser_resize(struct parse *cfile, size_t len)
160 {
161  size_t size;
162  char * temp;
163 
164  /* grow by len rounded up at LDAP_BUFFER_SIZE */
165  size = cfile->bufsiz + (len | (LDAP_BUFFER_SIZE-1)) + 1;
166 
167  /* realloc would be better, but there isn't any */
168  if ((temp = dmalloc (size, MDL)) != NULL)
169  {
170 #if defined (DEBUG_LDAP)
171  log_info ("Reallocated %s buffer from %zu to %zu",
172  cfile->tlname, cfile->bufsiz, size);
173 #endif
174  memcpy(temp, cfile->inbuf, cfile->bufsiz);
175  dfree(cfile->inbuf, MDL);
176  cfile->inbuf = temp;
177  cfile->bufsiz = size;
178  return 1;
179  }
180 
181  /*
182  * Hmm... what is worser, consider it as fatal error and
183  * bail out completely or discard config data in hope it
184  * is "only" an option in dynamic host lookup?
185  */
186  log_error("Unable to reallocated %s buffer from %zu to %zu",
187  cfile->tlname, cfile->bufsiz, size);
188  return 0;
189 }
190 
191 static char *
192 x_parser_strcat(struct parse *cfile, const char *str)
193 {
194  size_t cur = strlen(cfile->inbuf);
195  size_t len = strlen(str);
196  size_t cnt;
197 
198  if (cur + len >= cfile->bufsiz && !x_parser_resize(cfile, len))
199  return NULL;
200 
201  cnt = cfile->bufsiz > cur ? cfile->bufsiz - cur - 1 : 0;
202  return strncat(cfile->inbuf, str, cnt);
203 }
204 
205 static inline void
206 x_parser_reset(struct parse *cfile)
207 {
208  cfile->inbuf[0] = '\0';
209  cfile->bufix = cfile->buflen = 0;
210 }
211 
212 static inline size_t
213 x_parser_length(struct parse *cfile)
214 {
215  cfile->buflen = strlen(cfile->inbuf);
216  return cfile->buflen;
217 }
218 
219 static char *
220 x_strxform(char *dst, const char *src, size_t dst_size,
221  int (*xform)(int))
222 {
223  if(dst && src && dst_size)
224  {
225  size_t len, pos;
226 
227  len = strlen(src);
228  for(pos=0; pos < len && pos + 1 < dst_size; pos++)
229  dst[pos] = xform((int)src[pos]);
230  dst[pos] = '\0';
231 
232  return dst;
233  }
234  return NULL;
235 }
236 
237 static int
238 get_host_entry(char *fqdnname, size_t fqdnname_size,
239  char *hostaddr, size_t hostaddr_size)
240 {
241 #if defined(MAXHOSTNAMELEN)
242  char hname[MAXHOSTNAMELEN+1];
243 #else
244  char hname[65];
245 #endif
246  struct hostent *hp;
247 
248  if (NULL == fqdnname || 1 >= fqdnname_size)
249  return -1;
250 
251  memset(hname, 0, sizeof(hname));
252  if (gethostname(hname, sizeof(hname)-1))
253  return -1;
254 
255  if (NULL == (hp = gethostbyname(hname)))
256  return -1;
257 
258  strncpy(fqdnname, hp->h_name, fqdnname_size-1);
259  fqdnname[fqdnname_size-1] = '\0';
260 
261  if (hostaddr != NULL)
262  {
263  if (hp->h_addr != NULL)
264  {
265  struct in_addr *aptr = (struct in_addr *)hp->h_addr;
266 #if defined(HAVE_INET_NTOP)
267  if (hostaddr_size >= INET_ADDRSTRLEN &&
268  inet_ntop(AF_INET, aptr, hostaddr, hostaddr_size) != NULL)
269  {
270  return 0;
271  }
272 #else
273  char *astr = inet_ntoa(*aptr);
274  size_t alen = strlen(astr);
275  if (astr && alen > 0 && hostaddr_size > alen)
276  {
277  strncpy(hostaddr, astr, hostaddr_size-1);
278  hostaddr[hostaddr_size-1] = '\0';
279  return 0;
280  }
281 #endif
282  }
283  return -1;
284  }
285  return 0;
286 }
287 
288 #if defined(HAVE_IFADDRS_H)
289 static int
290 is_iface_address(struct ifaddrs *addrs, struct in_addr *addr)
291 {
292  struct ifaddrs *ia;
293  struct sockaddr_in *sa;
294  int num = 0;
295 
296  if(addrs == NULL || addr == NULL)
297  return -1;
298 
299  for (ia = addrs; ia != NULL; ia = ia->ifa_next)
300  {
301  ++num;
302  if (ia->ifa_addr && (ia->ifa_flags & IFF_UP) &&
303  ia->ifa_addr->sa_family == AF_INET)
304  {
305  sa = (struct sockaddr_in *)(ia->ifa_addr);
306  if (addr->s_addr == sa->sin_addr.s_addr)
307  return num;
308  }
309  }
310  return 0;
311 }
312 
313 static int
314 get_host_address(const char *hostname, char *hostaddr, size_t hostaddr_size, struct ifaddrs *addrs)
315 {
316  if (hostname && *hostname && hostaddr && hostaddr_size)
317  {
318  struct in_addr addr;
319 
320 #if defined(HAVE_INET_PTON)
321  if (inet_pton(AF_INET, hostname, &addr) == 1)
322 #else
323  if (inet_aton(hostname, &addr) != 0)
324 #endif
325  {
326  /* it is already IP address string */
327  if(strlen(hostname) < hostaddr_size)
328  {
329  strncpy(hostaddr, hostname, hostaddr_size-1);
330  hostaddr[hostaddr_size-1] = '\0';
331 
332  if (addrs != NULL && is_iface_address (addrs, &addr) > 0)
333  return 1;
334  else
335  return 0;
336  }
337  }
338  else
339  {
340  struct hostent *hp;
341  if ((hp = gethostbyname(hostname)) != NULL && hp->h_addr != NULL)
342  {
343  struct in_addr *aptr = (struct in_addr *)hp->h_addr;
344  int mret = 0;
345 
346  if (addrs != NULL)
347  {
348  char **h;
349  for (h=hp->h_addr_list; *h; h++)
350  {
351  struct in_addr *haddr = (struct in_addr *)*h;
352  if (is_iface_address (addrs, haddr) > 0)
353  {
354  aptr = haddr;
355  mret = 1;
356  }
357  }
358  }
359 
360 #if defined(HAVE_INET_NTOP)
361  if (hostaddr_size >= INET_ADDRSTRLEN &&
362  inet_ntop(AF_INET, aptr, hostaddr, hostaddr_size) != NULL)
363  {
364  return mret;
365  }
366 #else
367  char *astr = inet_ntoa(*aptr);
368  size_t alen = strlen(astr);
369  if (astr && alen > 0 && alen < hostaddr_size)
370  {
371  strncpy(hostaddr, astr, hostaddr_size-1);
372  hostaddr[hostaddr_size-1] = '\0';
373  return mret;
374  }
375 #endif
376  }
377  }
378  }
379  return -1;
380 }
381 #endif /* HAVE_IFADDRS_H */
382 
383 static void
384 ldap_parse_class (struct ldap_config_stack *item, struct parse *cfile)
385 {
386  struct berval **tempbv;
387 
388  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
389  tempbv[0] == NULL)
390  {
391  if (tempbv != NULL)
392  ldap_value_free_len (tempbv);
393 
394  return;
395  }
396 
397  x_parser_strcat (cfile, "class \"");
398  x_parser_strcat (cfile, tempbv[0]->bv_val);
399  x_parser_strcat (cfile, "\" {\n");
400 
401  item->close_brace = 1;
402  ldap_value_free_len (tempbv);
403 }
404 
405 static int
406 is_hex_string(const char *str)
407 {
408  int colon = 1;
409  int xdigit = 0;
410  size_t i;
411 
412  if (!str)
413  return 0;
414 
415  if (*str == '-')
416  str++;
417 
418  for (i=0; str[i]; ++i)
419  {
420  if (str[i] == ':')
421  {
422  xdigit = 0;
423  if(++colon > 1)
424  return 0;
425  }
426  else if(isxdigit((unsigned char)str[i]))
427  {
428  colon = 0;
429  if (++xdigit > 2)
430  return 0;
431  }
432  else
433  return 0;
434  }
435  return i > 0 && !colon;
436 }
437 
438 static void
439 ldap_parse_subclass (struct ldap_config_stack *item, struct parse *cfile)
440 {
441  struct berval **tempbv, **classdata;
442  char *tmp;
443 
444  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
445  tempbv[0] == NULL)
446  {
447  if (tempbv != NULL)
448  ldap_value_free_len (tempbv);
449 
450  return;
451  }
452 
453  if ((classdata = ldap_get_values_len (ld, item->ldent,
454  "dhcpClassData")) == NULL ||
455  classdata[0] == NULL)
456  {
457  if (classdata != NULL)
458  ldap_value_free_len (classdata);
459  ldap_value_free_len (tempbv);
460 
461  return;
462  }
463 
464  x_parser_strcat (cfile, "subclass \"");
465  x_parser_strcat (cfile, classdata[0]->bv_val);
466  if (is_hex_string(tempbv[0]->bv_val))
467  {
468  x_parser_strcat (cfile, "\" ");
469  x_parser_strcat (cfile, tempbv[0]->bv_val);
470  x_parser_strcat (cfile, " {\n");
471  }
472  else
473  {
474  tmp = quotify_string(tempbv[0]->bv_val, MDL);
475  x_parser_strcat (cfile, "\" \"");
476  x_parser_strcat (cfile, tmp);
477  x_parser_strcat (cfile, "\" {\n");
478  dfree(tmp, MDL);
479  }
480 
481  item->close_brace = 1;
482  ldap_value_free_len (tempbv);
483  ldap_value_free_len (classdata);
484 }
485 
486 
487 static void
488 ldap_parse_host (struct ldap_config_stack *item, struct parse *cfile)
489 {
490  struct berval **tempbv, **hwaddr;
491 
492  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
493  tempbv[0] == NULL)
494  {
495  if (tempbv != NULL)
496  ldap_value_free_len (tempbv);
497 
498  return;
499  }
500 
501  hwaddr = ldap_get_values_len (ld, item->ldent, "dhcpHWAddress");
502 
503  x_parser_strcat (cfile, "host ");
504  x_parser_strcat (cfile, tempbv[0]->bv_val);
505  x_parser_strcat (cfile, " {\n");
506 
507  if (hwaddr != NULL)
508  {
509  if (hwaddr[0] != NULL)
510  {
511  x_parser_strcat (cfile, "hardware ");
512  x_parser_strcat (cfile, hwaddr[0]->bv_val);
513  x_parser_strcat (cfile, ";\n");
514  }
515  ldap_value_free_len (hwaddr);
516  }
517 
518  item->close_brace = 1;
519  ldap_value_free_len (tempbv);
520 }
521 
522 
523 static void
524 ldap_parse_shared_network (struct ldap_config_stack *item, struct parse *cfile)
525 {
526  struct berval **tempbv;
527 
528  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
529  tempbv[0] == NULL)
530  {
531  if (tempbv != NULL)
532  ldap_value_free_len (tempbv);
533 
534  return;
535  }
536 
537  x_parser_strcat (cfile, "shared-network \"");
538  x_parser_strcat (cfile, tempbv[0]->bv_val);
539  x_parser_strcat (cfile, "\" {\n");
540 
541  item->close_brace = 1;
542  ldap_value_free_len (tempbv);
543 }
544 
545 
546 static void
547 parse_netmask (int netmask, char *netmaskbuf)
548 {
549  unsigned long nm;
550  int i;
551 
552  nm = 0;
553  for (i=1; i <= netmask; i++)
554  {
555  nm |= 1 << (32 - i);
556  }
557 
558  sprintf (netmaskbuf, "%d.%d.%d.%d", (int) (nm >> 24) & 0xff,
559  (int) (nm >> 16) & 0xff,
560  (int) (nm >> 8) & 0xff,
561  (int) nm & 0xff);
562 }
563 
564 
565 static void
566 ldap_parse_subnet (struct ldap_config_stack *item, struct parse *cfile)
567 {
568  struct berval **tempbv, **netmaskstr;
569  char netmaskbuf[sizeof("255.255.255.255")];
570  int i;
571 
572  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
573  tempbv[0] == NULL)
574  {
575  if (tempbv != NULL)
576  ldap_value_free_len (tempbv);
577 
578  return;
579  }
580 
581  if ((netmaskstr = ldap_get_values_len (ld, item->ldent,
582  "dhcpNetmask")) == NULL ||
583  netmaskstr[0] == NULL)
584  {
585  if (netmaskstr != NULL)
586  ldap_value_free_len (netmaskstr);
587  ldap_value_free_len (tempbv);
588 
589  return;
590  }
591 
592  x_parser_strcat (cfile, "subnet ");
593  x_parser_strcat (cfile, tempbv[0]->bv_val);
594 
595  x_parser_strcat (cfile, " netmask ");
596  parse_netmask (strtol (netmaskstr[0]->bv_val, NULL, 10), netmaskbuf);
597  x_parser_strcat (cfile, netmaskbuf);
598 
599  x_parser_strcat (cfile, " {\n");
600 
601  ldap_value_free_len (tempbv);
602  ldap_value_free_len (netmaskstr);
603 
604  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
605  {
606  for (i=0; tempbv[i] != NULL; i++)
607  {
608  x_parser_strcat (cfile, "range");
609  x_parser_strcat (cfile, " ");
610  x_parser_strcat (cfile, tempbv[i]->bv_val);
611  x_parser_strcat (cfile, ";\n");
612  }
613  ldap_value_free_len (tempbv);
614  }
615 
616  item->close_brace = 1;
617 }
618 
619 static void
620 ldap_parse_subnet6 (struct ldap_config_stack *item, struct parse *cfile)
621 {
622  struct berval **tempbv;
623  int i;
624 
625  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
626  tempbv[0] == NULL)
627  {
628  if (tempbv != NULL)
629  ldap_value_free_len (tempbv);
630 
631  return;
632  }
633 
634  x_parser_strcat (cfile, "subnet6 ");
635  x_parser_strcat (cfile, tempbv[0]->bv_val);
636 
637  x_parser_strcat (cfile, " {\n");
638 
639  ldap_value_free_len (tempbv);
640 
641  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange6")) != NULL)
642  {
643  for (i=0; tempbv[i] != NULL; i++)
644  {
645  x_parser_strcat (cfile, "range6");
646  x_parser_strcat (cfile, " ");
647  x_parser_strcat (cfile, tempbv[i]->bv_val);
648  x_parser_strcat (cfile, ";\n");
649  }
650  ldap_value_free_len (tempbv);
651  }
652 
653  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
654  {
655  for (i=0; tempbv[i] != NULL; i++)
656  {
657  x_parser_strcat (cfile, tempbv[i]->bv_val);
658  x_parser_strcat (cfile, ";\n");
659  }
660  ldap_value_free_len (tempbv);
661  }
662 
663  item->close_brace = 1;
664 }
665 
666 static void
667 ldap_parse_pool (struct ldap_config_stack *item, struct parse *cfile)
668 {
669  struct berval **tempbv;
670  int i;
671 
672  x_parser_strcat (cfile, "pool {\n");
673 
674  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange")) != NULL)
675  {
676  x_parser_strcat (cfile, "range");
677  for (i=0; tempbv[i] != NULL; i++)
678  {
679  x_parser_strcat (cfile, " ");
680  x_parser_strcat (cfile, tempbv[i]->bv_val);
681  }
682  x_parser_strcat (cfile, ";\n");
683  ldap_value_free_len (tempbv);
684  }
685 
686  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
687  {
688  for (i=0; tempbv[i] != NULL; i++)
689  {
690  x_parser_strcat (cfile, tempbv[i]->bv_val);
691  x_parser_strcat (cfile, ";\n");
692  }
693  ldap_value_free_len (tempbv);
694  }
695 
696  item->close_brace = 1;
697 }
698 
699 static void
700 ldap_parse_pool6 (struct ldap_config_stack *item, struct parse *cfile)
701 {
702  struct berval **tempbv;
703  int i;
704 
705  x_parser_strcat (cfile, "pool6 {\n");
706 
707  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpRange6")) != NULL)
708  {
709  x_parser_strcat (cfile, "range6");
710  for (i=0; tempbv[i] != NULL; i++)
711  {
712  x_parser_strcat (cfile, " ");
713  x_parser_strcat (cfile, tempbv[i]->bv_val);
714  }
715  x_parser_strcat (cfile, ";\n");
716  ldap_value_free_len (tempbv);
717  }
718 
719  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpPermitList")) != NULL)
720  {
721  for (i=0; tempbv[i] != NULL; i++)
722  {
723  x_parser_strcat(cfile, tempbv[i]->bv_val);
724  x_parser_strcat (cfile, ";\n");
725  }
726  ldap_value_free_len (tempbv);
727  }
728 
729  item->close_brace = 1;
730 }
731 
732 static void
733 ldap_parse_group (struct ldap_config_stack *item, struct parse *cfile)
734 {
735  x_parser_strcat (cfile, "group {\n");
736  item->close_brace = 1;
737 }
738 
739 
740 static void
741 ldap_parse_key (struct ldap_config_stack *item, struct parse *cfile)
742 {
743  struct berval **tempbv;
744 
745  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
746  {
747  x_parser_strcat (cfile, "key ");
748  x_parser_strcat (cfile, tempbv[0]->bv_val);
749  x_parser_strcat (cfile, " {\n");
750  ldap_value_free_len (tempbv);
751  }
752 
753  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeyAlgorithm")) != NULL)
754  {
755  x_parser_strcat (cfile, "algorithm ");
756  x_parser_strcat (cfile, tempbv[0]->bv_val);
757  x_parser_strcat (cfile, ";\n");
758  ldap_value_free_len (tempbv);
759  }
760 
761  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeySecret")) != NULL)
762  {
763  x_parser_strcat (cfile, "secret ");
764  x_parser_strcat (cfile, tempbv[0]->bv_val);
765  x_parser_strcat (cfile, ";\n");
766  ldap_value_free_len (tempbv);
767  }
768 
769  item->close_brace = 1;
770 }
771 
772 
773 static void
774 ldap_parse_zone (struct ldap_config_stack *item, struct parse *cfile)
775 {
776  char *cnFindStart, *cnFindEnd;
777  struct berval **tempbv;
778  char *keyCn;
779  size_t len;
780 
781  if ((tempbv = ldap_get_values_len (ld, item->ldent, "cn")) != NULL)
782  {
783  x_parser_strcat (cfile, "zone ");
784  x_parser_strcat (cfile, tempbv[0]->bv_val);
785  x_parser_strcat (cfile, " {\n");
786  ldap_value_free_len (tempbv);
787  }
788 
789  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpDnsZoneServer")) != NULL)
790  {
791  x_parser_strcat (cfile, "primary ");
792  x_parser_strcat (cfile, tempbv[0]->bv_val);
793 
794  x_parser_strcat (cfile, ";\n");
795  ldap_value_free_len (tempbv);
796  }
797 
798  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpKeyDN")) != NULL)
799  {
800  cnFindStart = strchr(tempbv[0]->bv_val,'=');
801  if (cnFindStart != NULL)
802  cnFindEnd = strchr(++cnFindStart,',');
803  else
804  cnFindEnd = NULL;
805 
806  if (cnFindEnd != NULL && cnFindEnd > cnFindStart)
807  {
808  len = cnFindEnd - cnFindStart;
809  keyCn = dmalloc (len + 1, MDL);
810  }
811  else
812  {
813  len = 0;
814  keyCn = NULL;
815  }
816 
817  if (keyCn != NULL)
818  {
819  strncpy (keyCn, cnFindStart, len);
820  keyCn[len] = '\0';
821 
822  x_parser_strcat (cfile, "key ");
823  x_parser_strcat (cfile, keyCn);
824  x_parser_strcat (cfile, ";\n");
825 
826  dfree (keyCn, MDL);
827  }
828 
829  ldap_value_free_len (tempbv);
830  }
831 
832  item->close_brace = 1;
833 }
834 
835 #if defined(HAVE_IFADDRS_H)
836 static void
837 ldap_parse_failover (struct ldap_config_stack *item, struct parse *cfile)
838 {
839  struct berval **tempbv, **peername;
840  struct ifaddrs *addrs = NULL;
841  char srvaddr[2][64] = {"\0", "\0"};
842  int primary, split = 0, match;
843 
844  if ((peername = ldap_get_values_len (ld, item->ldent, "cn")) == NULL ||
845  peername[0] == NULL)
846  {
847  if (peername != NULL)
848  ldap_value_free_len (peername);
849 
850  // ldap with disabled schema checks? fail to avoid syntax error.
851  log_error("Unable to find mandatory failover peering name attribute");
852  return;
853  }
854 
855  /* Get all interface addresses */
856  getifaddrs(&addrs);
857 
858  /*
859  ** when dhcpFailOverPrimaryServer or dhcpFailOverSecondaryServer
860  ** matches one of our IP address, the following valiables are set:
861  ** - primary is 1 when we are primary or 0 when we are secondary
862  ** - srvaddr[0] contains ip address of the primary
863  ** - srvaddr[1] contains ip address of the secondary
864  */
865  primary = -1;
866  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverPrimaryServer")) != NULL &&
867  tempbv[0] != NULL)
868  {
869  match = get_host_address (tempbv[0]->bv_val, srvaddr[0], sizeof(srvaddr[0]), addrs);
870  if (match >= 0)
871  {
872  /* we are the primary */
873  if (match > 0)
874  primary = 1;
875  }
876  else
877  {
878  log_info("Can't resolve address of the primary failover '%s' server %s",
879  peername[0]->bv_val, tempbv[0]->bv_val);
880  ldap_value_free_len (tempbv);
881  ldap_value_free_len (peername);
882  if (addrs)
883  freeifaddrs(addrs);
884  return;
885  }
886  }
887  if (tempbv != NULL)
888  ldap_value_free_len (tempbv);
889 
890  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSecondaryServer")) != NULL &&
891  tempbv[0] != NULL)
892  {
893  match = get_host_address (tempbv[0]->bv_val, srvaddr[1], sizeof(srvaddr[1]), addrs);
894  if (match >= 0)
895  {
896  if (match > 0)
897  {
898  if (primary == 1)
899  {
900  log_info("Both, primary and secondary failover '%s' server"
901  " attributes match our local address", peername[0]->bv_val);
902  ldap_value_free_len (tempbv);
903  ldap_value_free_len (peername);
904  if (addrs)
905  freeifaddrs(addrs);
906  return;
907  }
908 
909  /* we are the secondary */
910  primary = 0;
911  }
912  }
913  else
914  {
915  log_info("Can't resolve address of the secondary failover '%s' server %s",
916  peername[0]->bv_val, tempbv[0]->bv_val);
917  ldap_value_free_len (tempbv);
918  ldap_value_free_len (peername);
919  if (addrs)
920  freeifaddrs(addrs);
921  return;
922  }
923  }
924  if (tempbv != NULL)
925  ldap_value_free_len (tempbv);
926 
927 
928  if (primary == -1 || *srvaddr[0] == '\0' || *srvaddr[1] == '\0')
929  {
930  log_error("Could not decide if the server type is primary"
931  " or secondary for failover peering '%s'.", peername[0]->bv_val);
932  ldap_value_free_len (peername);
933  if (addrs)
934  freeifaddrs(addrs);
935  return;
936  }
937 
938  x_parser_strcat (cfile, "failover peer \"");
939  x_parser_strcat (cfile, peername[0]->bv_val);
940  x_parser_strcat (cfile, "\" {\n");
941 
942  if (primary)
943  x_parser_strcat (cfile, "primary;\n");
944  else
945  x_parser_strcat (cfile, "secondary;\n");
946 
947  x_parser_strcat (cfile, "address ");
948  if (primary)
949  x_parser_strcat (cfile, srvaddr[0]);
950  else
951  x_parser_strcat (cfile, srvaddr[1]);
952  x_parser_strcat (cfile, ";\n");
953 
954  x_parser_strcat (cfile, "peer address ");
955  if (primary)
956  x_parser_strcat (cfile, srvaddr[1]);
957  else
958  x_parser_strcat (cfile, srvaddr[0]);
959  x_parser_strcat (cfile, ";\n");
960 
961  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverPrimaryPort")) != NULL &&
962  tempbv[0] != NULL)
963  {
964  if (primary)
965  x_parser_strcat (cfile, "port ");
966  else
967  x_parser_strcat (cfile, "peer port ");
968  x_parser_strcat (cfile, tempbv[0]->bv_val);
969  x_parser_strcat (cfile, ";\n");
970  }
971  if (tempbv != NULL)
972  ldap_value_free_len (tempbv);
973 
974  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSecondaryPort")) != NULL &&
975  tempbv[0] != NULL)
976  {
977  if (primary)
978  x_parser_strcat (cfile, "peer port ");
979  else
980  x_parser_strcat (cfile, "port ");
981  x_parser_strcat (cfile, tempbv[0]->bv_val);
982  x_parser_strcat (cfile, ";\n");
983  }
984  if (tempbv != NULL)
985  ldap_value_free_len (tempbv);
986 
987  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverResponseDelay")) != NULL &&
988  tempbv[0] != NULL)
989  {
990  x_parser_strcat (cfile, "max-response-delay ");
991  x_parser_strcat (cfile, tempbv[0]->bv_val);
992  x_parser_strcat (cfile, ";\n");
993  }
994  if (tempbv != NULL)
995  ldap_value_free_len (tempbv);
996 
997  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverUnackedUpdates")) != NULL &&
998  tempbv[0] != NULL)
999  {
1000  x_parser_strcat (cfile, "max-unacked-updates ");
1001  x_parser_strcat (cfile, tempbv[0]->bv_val);
1002  x_parser_strcat (cfile, ";\n");
1003  }
1004  if (tempbv != NULL)
1005  ldap_value_free_len (tempbv);
1006 
1007  if ((tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverLoadBalanceTime")) != NULL &&
1008  tempbv[0] != NULL)
1009  {
1010  x_parser_strcat (cfile, "load balance max seconds ");
1011  x_parser_strcat (cfile, tempbv[0]->bv_val);
1012  x_parser_strcat (cfile, ";\n");
1013  }
1014  if (tempbv != NULL)
1015  ldap_value_free_len (tempbv);
1016 
1017  tempbv = NULL;
1018  if (primary &&
1019  (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpMaxClientLeadTime")) != NULL &&
1020  tempbv[0] != NULL)
1021  {
1022  x_parser_strcat (cfile, "mclt ");
1023  x_parser_strcat (cfile, tempbv[0]->bv_val);
1024  x_parser_strcat (cfile, ";\n");
1025  }
1026  if (tempbv != NULL)
1027  ldap_value_free_len (tempbv);
1028 
1029  tempbv = NULL;
1030  if (primary &&
1031  (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverSplit")) != NULL &&
1032  tempbv[0] != NULL)
1033  {
1034  x_parser_strcat (cfile, "split ");
1035  x_parser_strcat (cfile, tempbv[0]->bv_val);
1036  x_parser_strcat (cfile, ";\n");
1037  split = 1;
1038  }
1039  if (tempbv != NULL)
1040  ldap_value_free_len (tempbv);
1041 
1042  tempbv = NULL;
1043  if (primary && !split &&
1044  (tempbv = ldap_get_values_len (ld, item->ldent, "dhcpFailOverHashBucketAssignment")) != NULL &&
1045  tempbv[0] != NULL)
1046  {
1047  x_parser_strcat (cfile, "hba ");
1048  x_parser_strcat (cfile, tempbv[0]->bv_val);
1049  x_parser_strcat (cfile, ";\n");
1050  }
1051  if (tempbv != NULL)
1052  ldap_value_free_len (tempbv);
1053 
1054  item->close_brace = 1;
1055 }
1056 #endif /* HAVE_IFADDRS_H */
1057 
1058 static void
1059 add_to_config_stack (LDAPMessage * res, LDAPMessage * ent)
1060 {
1061  struct ldap_config_stack *ns;
1062 
1063  ns = dmalloc (sizeof (*ns), MDL);
1064  if (!ns) {
1065  log_fatal ("no memory for add_to_config_stack()");
1066  }
1067 
1068  ns->res = res;
1069  ns->ldent = ent;
1070  ns->close_brace = 0;
1071  ns->processed = 0;
1072  ns->next = ldap_stack;
1073  ldap_stack = ns;
1074 }
1075 
1076 static void
1077 ldap_stop()
1078 {
1079  struct sigaction old, new;
1080 
1081  if (ld == NULL)
1082  return;
1083 
1084  /*
1085  ** ldap_unbind after a LDAP_SERVER_DOWN result
1086  ** causes a SIGPIPE and dhcpd gets terminated,
1087  ** since it doesn't handle it...
1088  */
1089 
1090  new.sa_flags = 0;
1091  new.sa_handler = SIG_IGN;
1092  sigemptyset (&new.sa_mask);
1093  sigaction (SIGPIPE, &new, &old);
1094 
1095  ldap_unbind_ext_s (ld, NULL, NULL);
1096  ld = NULL;
1097 
1098  sigaction (SIGPIPE, &old, &new);
1099 }
1100 
1101 
1102 static char *
1103 _do_lookup_dhcp_string_option (struct option_state *options, int option_name)
1104 {
1105  struct option_cache *oc;
1106  struct data_string db;
1107  char *ret;
1108 
1109  memset (&db, 0, sizeof (db));
1110  oc = lookup_option (&server_universe, options, option_name);
1111  if (oc &&
1112  evaluate_option_cache (&db, (struct packet*) NULL,
1113  (struct lease *) NULL,
1114  (struct client_state *) NULL, options,
1115  (struct option_state *) NULL,
1116  &global_scope, oc, MDL) &&
1117  db.data != NULL && *db.data != '\0')
1118 
1119  {
1120  ret = dmalloc (db.len + 1, MDL);
1121  if (ret == NULL)
1122  log_fatal ("no memory for ldap option %d value", option_name);
1123 
1124  memcpy (ret, db.data, db.len);
1125  ret[db.len] = 0;
1126  data_string_forget (&db, MDL);
1127  }
1128  else
1129  ret = NULL;
1130 
1131  return (ret);
1132 }
1133 
1134 
1135 static int
1136 _do_lookup_dhcp_int_option (struct option_state *options, int option_name)
1137 {
1138  struct option_cache *oc;
1139  struct data_string db;
1140  int ret = 0;
1141 
1142  memset (&db, 0, sizeof (db));
1143  oc = lookup_option (&server_universe, options, option_name);
1144  if (oc &&
1145  evaluate_option_cache (&db, (struct packet*) NULL,
1146  (struct lease *) NULL,
1147  (struct client_state *) NULL, options,
1148  (struct option_state *) NULL,
1149  &global_scope, oc, MDL) &&
1150  db.data != NULL)
1151  {
1152  if (db.len == 4) {
1153  ret = getULong(db.data);
1154  }
1155 
1156  data_string_forget (&db, MDL);
1157  }
1158 
1159  return (ret);
1160 }
1161 
1162 
1163 static int
1164 _do_lookup_dhcp_enum_option (struct option_state *options, int option_name)
1165 {
1166  struct option_cache *oc;
1167  struct data_string db;
1168  int ret = -1;
1169 
1170  memset (&db, 0, sizeof (db));
1171  oc = lookup_option (&server_universe, options, option_name);
1172  if (oc &&
1173  evaluate_option_cache (&db, (struct packet*) NULL,
1174  (struct lease *) NULL,
1175  (struct client_state *) NULL, options,
1176  (struct option_state *) NULL,
1177  &global_scope, oc, MDL) &&
1178  db.data != NULL && *db.data != '\0')
1179  {
1180  if (db.len == 1)
1181  ret = db.data [0];
1182  else
1183  log_fatal ("invalid option name %d", option_name);
1184 
1185  data_string_forget (&db, MDL);
1186  }
1187  else
1188  ret = 0;
1189 
1190  return (ret);
1191 }
1192 
1193 int
1194 ldap_rebind_cb (LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *parms)
1195 {
1196  int ret;
1197  LDAPURLDesc *ldapurl = NULL;
1198  char *who = NULL;
1199  struct berval creds;
1200 
1201  log_info("LDAP rebind to '%s'", url);
1202  if ((ret = ldap_url_parse(url, &ldapurl)) != LDAP_SUCCESS)
1203  {
1204  log_error ("Error: Can not parse ldap rebind url '%s': %s",
1205  url, ldap_err2string(ret));
1206  return ret;
1207  }
1208 
1209 
1210 #if defined (LDAP_USE_SSL)
1211  if (strcasecmp(ldapurl->lud_scheme, "ldaps") == 0)
1212  {
1213  int opt = LDAP_OPT_X_TLS_HARD;
1214  if ((ret = ldap_set_option (ld, LDAP_OPT_X_TLS, &opt)) != LDAP_SUCCESS)
1215  {
1216  log_error ("Error: Cannot init LDAPS session to %s:%d: %s",
1217  ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
1218  ldap_free_urldesc(ldapurl);
1219  return ret;
1220  }
1221  else
1222  {
1223  log_info ("LDAPS session successfully enabled to %s", ldap_server);
1224  }
1225  }
1226  else
1227  if (strcasecmp(ldapurl->lud_scheme, "ldap") == 0 &&
1228  ldap_use_ssl != LDAP_SSL_OFF)
1229  {
1230  if ((ret = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
1231  {
1232  log_error ("Error: Cannot start TLS session to %s:%d: %s",
1233  ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
1234  ldap_free_urldesc(ldapurl);
1235  return ret;
1236  }
1237  else
1238  {
1239  log_info ("TLS session successfully started to %s:%d",
1240  ldapurl->lud_host, ldapurl->lud_port);
1241  }
1242  }
1243 #endif
1244 
1245 #if defined(LDAP_USE_GSSAPI)
1246  if (ldap_gssapi_principal != NULL) {
1247  krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab);
1248  if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech,
1249  NULL, NULL, LDAP_SASL_AUTOMATIC,
1250  _ldap_sasl_interact, ldap_sasl_inst)
1251  ) != LDAP_SUCCESS)
1252  {
1253  log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s",
1254  ldap_server, ldap_port, ldap_err2string (ret));
1255  char *msg=NULL;
1256  ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
1257  log_error ("\tAdditional info: %s", msg);
1258  ldap_memfree(msg);
1259  ldap_stop();
1260  }
1261 
1262  ldap_free_urldesc(ldapurl);
1263  return ret;
1264  }
1265 #endif
1266 
1267  if (ldap_username != NULL && *ldap_username != '\0' && ldap_password != NULL)
1268  {
1269  who = ldap_username;
1270  creds.bv_val = strdup(ldap_password);
1271  if (creds.bv_val == NULL)
1272  log_fatal ("Error: Unable to allocate memory to duplicate ldap_password");
1273 
1274  creds.bv_len = strlen(ldap_password);
1275 
1276  if ((ret = ldap_sasl_bind_s (ld, who, LDAP_SASL_SIMPLE, &creds,
1277  NULL, NULL, NULL)) != LDAP_SUCCESS)
1278  {
1279  log_error ("Error: Cannot login into ldap server %s:%d: %s",
1280  ldapurl->lud_host, ldapurl->lud_port, ldap_err2string (ret));
1281  }
1282 
1283  if (creds.bv_val)
1284  free(creds.bv_val);
1285  }
1286 
1287  ldap_free_urldesc(ldapurl);
1288  return ret;
1289 }
1290 
1291 static int
1292 _do_ldap_retry(int ret, const char *server, int port)
1293 {
1294  static int inform = 1;
1295 
1296  if (ldap_enable_retry > 0 && ret == LDAP_SERVER_DOWN && ldap_init_retry > 0)
1297  {
1298  if (inform || (ldap_init_retry % 10) == 0)
1299  {
1300  inform = 0;
1301  log_info ("Can't contact LDAP server %s:%d: retrying for %d sec",
1302  server, port, ldap_init_retry);
1303  }
1304  sleep(1);
1305  return ldap_init_retry--;
1306  }
1307  return 0;
1308 }
1309 
1310 static struct berval *
1311 _do_ldap_str2esc_filter_bv(const char *str, ber_len_t len, struct berval *bv_o)
1312 {
1313  struct berval bv_i;
1314 
1315  if (!str || !bv_o || (ber_str2bv(str, len, 0, &bv_i) == NULL) ||
1316  (ldap_bv2escaped_filter_value(&bv_i, bv_o) != 0))
1317  return NULL;
1318  return bv_o;
1319 }
1320 
1321 static void
1322 ldap_start (void)
1323 {
1324  struct option_state *options;
1325  int ret, version;
1326  char *uri = NULL;
1327  struct berval creds;
1328 #if defined(LDAP_USE_GSSAPI)
1329  char *gssapi_realm = NULL;
1330  char *gssapi_user = NULL;
1331  char *running = NULL;
1332  const char *gssapi_delim = "@";
1333 #endif
1334 
1335  if (ld != NULL)
1336  return;
1337 
1338  if (ldap_server == NULL)
1339  {
1340  options = NULL;
1341  option_state_allocate (&options, MDL);
1342 
1343  execute_statements_in_scope (NULL, NULL, NULL, NULL, NULL,
1344  options, &global_scope, root_group,
1345  NULL, NULL);
1346 
1347  ldap_server = _do_lookup_dhcp_string_option (options, SV_LDAP_SERVER);
1348  ldap_dhcp_server_cn = _do_lookup_dhcp_string_option (options,
1349  SV_LDAP_DHCP_SERVER_CN);
1350  ldap_port = _do_lookup_dhcp_int_option (options, SV_LDAP_PORT);
1351  ldap_base_dn = _do_lookup_dhcp_string_option (options, SV_LDAP_BASE_DN);
1352  ldap_method = _do_lookup_dhcp_enum_option (options, SV_LDAP_METHOD);
1353  ldap_debug_file = _do_lookup_dhcp_string_option (options,
1354  SV_LDAP_DEBUG_FILE);
1355  ldap_referrals = _do_lookup_dhcp_enum_option (options, SV_LDAP_REFERRALS);
1356  ldap_init_retry = _do_lookup_dhcp_int_option (options, SV_LDAP_INIT_RETRY);
1357 
1358 #if defined (LDAP_USE_SSL)
1359  ldap_use_ssl = _do_lookup_dhcp_enum_option (options, SV_LDAP_SSL);
1360  if( ldap_use_ssl != LDAP_SSL_OFF)
1361  {
1362  ldap_tls_reqcert = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_REQCERT);
1363  ldap_tls_ca_file = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_FILE);
1364  ldap_tls_ca_dir = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CA_DIR);
1365  ldap_tls_cert = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CERT);
1366  ldap_tls_key = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_KEY);
1367  ldap_tls_crlcheck = _do_lookup_dhcp_enum_option (options, SV_LDAP_TLS_CRLCHECK);
1368  ldap_tls_ciphers = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_CIPHERS);
1369  ldap_tls_randfile = _do_lookup_dhcp_string_option (options, SV_LDAP_TLS_RANDFILE);
1370  }
1371 #endif
1372 
1373 #if defined (LDAP_USE_GSSAPI)
1374  ldap_gssapi_principal = _do_lookup_dhcp_string_option (options,
1375  SV_LDAP_GSSAPI_PRINCIPAL);
1376 
1377  if (ldap_gssapi_principal == NULL) {
1378  log_error("ldap_gssapi_principal is not set,"
1379  "GSSAPI Authentication for LDAP will not be used");
1380  } else {
1381  ldap_gssapi_keytab = _do_lookup_dhcp_string_option (options,
1382  SV_LDAP_GSSAPI_KEYTAB);
1383  if (ldap_gssapi_keytab == NULL) {
1384  log_fatal("ldap_gssapi_keytab must be specified");
1385  }
1386 
1387  running = strdup(ldap_gssapi_principal);
1388  if (running == NULL)
1389  log_fatal("Could not allocate memory to duplicate gssapi principal");
1390 
1391  gssapi_user = strtok(running, gssapi_delim);
1392  if (!gssapi_user || strlen(gssapi_user) == 0) {
1393  log_fatal ("GSSAPI principal must specify user: user@realm");
1394  }
1395 
1396  gssapi_realm = strtok(NULL, gssapi_delim);
1397  if (!gssapi_realm || strlen(gssapi_realm) == 0) {
1398  log_fatal ("GSSAPI principal must specify realm: user@realm");
1399  }
1400 
1401  ldap_sasl_inst = malloc(sizeof(struct ldap_sasl_instance));
1402  if (ldap_sasl_inst == NULL)
1403  log_fatal("Could not allocate memory for sasl instance! Can not run!");
1404 
1405  ldap_sasl_inst->sasl_mech = ber_strdup("GSSAPI");
1406  if (ldap_sasl_inst->sasl_mech == NULL)
1407  log_fatal("Could not allocate memory to duplicate gssapi mechanism");
1408 
1409  ldap_sasl_inst->sasl_realm = ber_strdup(gssapi_realm);
1410  if (ldap_sasl_inst->sasl_realm == NULL)
1411  log_fatal("Could not allocate memory to duplicate gssapi realm");
1412 
1413  ldap_sasl_inst->sasl_authz_id = ber_strdup(gssapi_user);
1414  if (ldap_sasl_inst->sasl_authz_id == NULL)
1415  log_fatal("Could not allocate memory to duplicate gssapi user");
1416 
1417  ldap_sasl_inst->sasl_authc_id = NULL;
1418  ldap_sasl_inst->sasl_password = NULL; //"" before
1419  free(running);
1420  }
1421 #endif
1422 
1423 #if defined (LDAP_CASA_AUTH)
1424  if (!load_uname_pwd_from_miCASA(&ldap_username,&ldap_password))
1425  {
1426 #if defined (DEBUG_LDAP)
1427  log_info ("Authentication credential taken from file");
1428 #endif
1429 #endif
1430 
1431  ldap_username = _do_lookup_dhcp_string_option (options, SV_LDAP_USERNAME);
1432  ldap_password = _do_lookup_dhcp_string_option (options, SV_LDAP_PASSWORD);
1433 
1434 #if defined (LDAP_CASA_AUTH)
1435  }
1436 #endif
1437 
1438  option_state_dereference (&options, MDL);
1439  }
1440 
1441  if (ldap_server == NULL || ldap_base_dn == NULL)
1442  {
1443  log_info ("Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file");
1444  ldap_method = LDAP_METHOD_STATIC;
1445  return;
1446  }
1447 
1448  if (ldap_debug_file != NULL && ldap_debug_fd == -1)
1449  {
1450  if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC,
1451  S_IRUSR | S_IWUSR)) < 0)
1452  log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file,
1453  strerror (errno));
1454  }
1455 
1456 #if defined (DEBUG_LDAP)
1457  log_info ("Connecting to LDAP server %s:%d", ldap_server, ldap_port);
1458 #endif
1459 
1460 #if defined (LDAP_USE_SSL)
1461  if (ldap_use_ssl == -1)
1462  {
1463  /*
1464  ** There was no "ldap-ssl" option in dhcpd.conf (also not "off").
1465  ** Let's try, if we can use an anonymous TLS session without to
1466  ** verify the server certificate -- if not continue without TLS.
1467  */
1468  int opt = LDAP_OPT_X_TLS_ALLOW;
1469  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
1470  &opt)) != LDAP_SUCCESS)
1471  {
1472  log_error ("Warning: Cannot set LDAP TLS require cert option to 'allow': %s",
1473  ldap_err2string (ret));
1474  }
1475  }
1476 
1477  if (ldap_use_ssl != LDAP_SSL_OFF)
1478  {
1479  if (ldap_tls_reqcert != -1)
1480  {
1481  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
1482  &ldap_tls_reqcert)) != LDAP_SUCCESS)
1483  {
1484  log_error ("Cannot set LDAP TLS require cert option: %s",
1485  ldap_err2string (ret));
1486  }
1487  }
1488 
1489  if( ldap_tls_ca_file != NULL)
1490  {
1491  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
1492  ldap_tls_ca_file)) != LDAP_SUCCESS)
1493  {
1494  log_error ("Cannot set LDAP TLS CA certificate file %s: %s",
1495  ldap_tls_ca_file, ldap_err2string (ret));
1496  }
1497  }
1498  if( ldap_tls_ca_dir != NULL)
1499  {
1500  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
1501  ldap_tls_ca_dir)) != LDAP_SUCCESS)
1502  {
1503  log_error ("Cannot set LDAP TLS CA certificate dir %s: %s",
1504  ldap_tls_ca_dir, ldap_err2string (ret));
1505  }
1506  }
1507  if( ldap_tls_cert != NULL)
1508  {
1509  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
1510  ldap_tls_cert)) != LDAP_SUCCESS)
1511  {
1512  log_error ("Cannot set LDAP TLS client certificate file %s: %s",
1513  ldap_tls_cert, ldap_err2string (ret));
1514  }
1515  }
1516  if( ldap_tls_key != NULL)
1517  {
1518  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
1519  ldap_tls_key)) != LDAP_SUCCESS)
1520  {
1521  log_error ("Cannot set LDAP TLS certificate key file %s: %s",
1522  ldap_tls_key, ldap_err2string (ret));
1523  }
1524  }
1525  if( ldap_tls_crlcheck != -1)
1526  {
1527  int opt = ldap_tls_crlcheck;
1528  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CRLCHECK,
1529  &opt)) != LDAP_SUCCESS)
1530  {
1531  log_error ("Cannot set LDAP TLS crl check option: %s",
1532  ldap_err2string (ret));
1533  }
1534  }
1535  if( ldap_tls_ciphers != NULL)
1536  {
1537  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
1538  ldap_tls_ciphers)) != LDAP_SUCCESS)
1539  {
1540  log_error ("Cannot set LDAP TLS cipher suite %s: %s",
1541  ldap_tls_ciphers, ldap_err2string (ret));
1542  }
1543  }
1544  if( ldap_tls_randfile != NULL)
1545  {
1546  if ((ret = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
1547  ldap_tls_randfile)) != LDAP_SUCCESS)
1548  {
1549  log_error ("Cannot set LDAP TLS random file %s: %s",
1550  ldap_tls_randfile, ldap_err2string (ret));
1551  }
1552  }
1553  }
1554 #endif
1555 
1556  /* enough for 'ldap://+ + hostname + ':' + port number */
1557  uri = malloc(strlen(ldap_server) + 16);
1558  if (uri == NULL)
1559  {
1560  log_error ("Cannot build ldap init URI %s:%d", ldap_server, ldap_port);
1561  return;
1562  }
1563 
1564  sprintf(uri, "ldap://%s:%d", ldap_server, ldap_port);
1565  ldap_initialize(&ld, uri);
1566 
1567  if (ld == NULL)
1568  {
1569  log_error ("Cannot init ldap session to %s:%d", ldap_server, ldap_port);
1570  return;
1571  }
1572 
1573  free(uri);
1574 
1575  version = LDAP_VERSION3;
1576  if ((ret = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS)
1577  {
1578  log_error ("Cannot set LDAP version to %d: %s", version,
1579  ldap_err2string (ret));
1580  }
1581 
1582  if (ldap_referrals != -1)
1583  {
1584  if ((ret = ldap_set_option (ld, LDAP_OPT_REFERRALS, ldap_referrals ?
1585  LDAP_OPT_ON : LDAP_OPT_OFF)) != LDAP_OPT_SUCCESS)
1586  {
1587  log_error ("Cannot %s LDAP referrals option: %s",
1588  (ldap_referrals ? "enable" : "disable"),
1589  ldap_err2string (ret));
1590  }
1591  }
1592 
1593  if ((ret = ldap_set_rebind_proc(ld, ldap_rebind_cb, NULL)) != LDAP_SUCCESS)
1594  {
1595  log_error ("Warning: Cannot set ldap rebind procedure: %s",
1596  ldap_err2string (ret));
1597  }
1598 
1599 #if defined (LDAP_USE_SSL)
1600  if (ldap_use_ssl == LDAP_SSL_LDAPS ||
1601  (ldap_use_ssl == LDAP_SSL_ON && ldap_port == LDAPS_PORT))
1602  {
1603  int opt = LDAP_OPT_X_TLS_HARD;
1604  if ((ret = ldap_set_option (ld, LDAP_OPT_X_TLS, &opt)) != LDAP_SUCCESS)
1605  {
1606  log_error ("Error: Cannot init LDAPS session to %s:%d: %s",
1607  ldap_server, ldap_port, ldap_err2string (ret));
1608  ldap_stop();
1609  return;
1610  }
1611  else
1612  {
1613  log_info ("LDAPS session successfully enabled to %s:%d",
1614  ldap_server, ldap_port);
1615  }
1616  }
1617  else if (ldap_use_ssl != LDAP_SSL_OFF)
1618  {
1619  do
1620  {
1621  ret = ldap_start_tls_s (ld, NULL, NULL);
1622  }
1623  while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
1624 
1625  if (ret != LDAP_SUCCESS)
1626  {
1627  log_error ("Error: Cannot start TLS session to %s:%d: %s",
1628  ldap_server, ldap_port, ldap_err2string (ret));
1629  ldap_stop();
1630  return;
1631  }
1632  else
1633  {
1634  log_info ("TLS session successfully started to %s:%d",
1635  ldap_server, ldap_port);
1636  }
1637  }
1638 #endif
1639 
1640 #if defined(LDAP_USE_GSSAPI)
1641  if (ldap_gssapi_principal != NULL) {
1642  krb5_get_tgt(ldap_gssapi_principal, ldap_gssapi_keytab);
1643  if ((ret = ldap_sasl_interactive_bind_s(ld, NULL, ldap_sasl_inst->sasl_mech,
1644  NULL, NULL, LDAP_SASL_AUTOMATIC,
1645  _ldap_sasl_interact, ldap_sasl_inst)
1646  ) != LDAP_SUCCESS)
1647  {
1648  log_error ("Error: Cannot SASL bind to ldap server %s:%d: %s",
1649  ldap_server, ldap_port, ldap_err2string (ret));
1650  char *msg=NULL;
1651  ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
1652  log_error ("\tAdditional info: %s", msg);
1653  ldap_memfree(msg);
1654  ldap_stop();
1655  return;
1656  }
1657  } else
1658 #endif
1659 
1660  if (ldap_username != NULL && *ldap_username != '\0' && ldap_password != NULL)
1661  {
1662  creds.bv_val = strdup(ldap_password);
1663  if (creds.bv_val == NULL)
1664  log_fatal ("Error: Unable to allocate memory to duplicate ldap_password");
1665 
1666  creds.bv_len = strlen(ldap_password);
1667 
1668  do
1669  {
1670  ret = ldap_sasl_bind_s (ld, ldap_username, LDAP_SASL_SIMPLE,
1671  &creds, NULL, NULL, NULL);
1672  }
1673  while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
1674  free(creds.bv_val);
1675 
1676  if (ret != LDAP_SUCCESS)
1677  {
1678  log_error ("Error: Cannot login into ldap server %s:%d: %s",
1679  ldap_server, ldap_port, ldap_err2string (ret));
1680  ldap_stop();
1681  return;
1682  }
1683  }
1684 
1685 #if defined (DEBUG_LDAP)
1686  log_info ("Successfully logged into LDAP server %s", ldap_server);
1687 #endif
1688 }
1689 
1690 
1691 static void
1692 parse_external_dns (LDAPMessage * ent)
1693 {
1694  char *search[] = {"dhcpOptionsDN", "dhcpSharedNetworkDN", "dhcpSubnetDN",
1695  "dhcpGroupDN", "dhcpHostDN", "dhcpClassesDN",
1696  "dhcpPoolDN", "dhcpZoneDN", "dhcpFailOverPeerDN", NULL};
1697 
1698  /* TODO: dhcpKeyDN can't be added. It is referenced in dhcpDnsZone to
1699  retrive the key name (cn). Adding keyDN will reflect adding a key
1700  declaration inside the zone configuration.
1701 
1702  dhcpSubClassesDN cant be added. It is also similar to the above.
1703  Needs schema change.
1704  */
1705  LDAPMessage * newres, * newent;
1706  struct berval **tempbv;
1707  int i, j, ret;
1708 #if defined (DEBUG_LDAP)
1709  char *dn;
1710 
1711  dn = ldap_get_dn (ld, ent);
1712  if (dn != NULL)
1713  {
1714  log_info ("Parsing external DNs for '%s'", dn);
1715  ldap_memfree (dn);
1716  }
1717 #endif
1718 
1719  if (ld == NULL)
1720  ldap_start ();
1721  if (ld == NULL)
1722  return;
1723 
1724  for (i=0; search[i] != NULL; i++)
1725  {
1726  if ((tempbv = ldap_get_values_len (ld, ent, search[i])) == NULL)
1727  continue;
1728 
1729  for (j=0; tempbv[j] != NULL; j++)
1730  {
1731  if (*tempbv[j]->bv_val == '\0')
1732  continue;
1733 
1734  if ((ret = ldap_search_ext_s(ld, tempbv[j]->bv_val, LDAP_SCOPE_BASE,
1735  "objectClass=*", NULL, 0, NULL,
1736  NULL, NULL, 0, &newres)) != LDAP_SUCCESS)
1737  {
1738  ldap_value_free_len (tempbv);
1739  ldap_stop();
1740  return;
1741  }
1742 
1743 #if defined (DEBUG_LDAP)
1744  log_info ("Adding contents of subtree '%s' to config stack from '%s' reference", tempbv[j]->bv_val, search[i]);
1745 #endif
1746  for (newent = ldap_first_entry (ld, newres);
1747  newent != NULL;
1748  newent = ldap_next_entry (ld, newent))
1749  {
1750 #if defined (DEBUG_LDAP)
1751  dn = ldap_get_dn (ld, newent);
1752  if (dn != NULL)
1753  {
1754  log_info ("Adding LDAP result set starting with '%s' to config stack", dn);
1755  ldap_memfree (dn);
1756  }
1757 #endif
1758 
1759  add_to_config_stack (newres, newent);
1760  /* don't free newres here */
1761  }
1762  }
1763 
1764  ldap_value_free_len (tempbv);
1765  }
1766 }
1767 
1768 
1769 static void
1770 free_stack_entry (struct ldap_config_stack *item)
1771 {
1772  struct ldap_config_stack *look_ahead_pointer = item;
1773  int may_free_msg = 1;
1774 
1775  while (look_ahead_pointer->next != NULL)
1776  {
1777  look_ahead_pointer = look_ahead_pointer->next;
1778  if (look_ahead_pointer->res == item->res)
1779  {
1780  may_free_msg = 0;
1781  break;
1782  }
1783  }
1784 
1785  if (may_free_msg)
1786  ldap_msgfree (item->res);
1787 
1788  dfree (item, MDL);
1789 }
1790 
1791 
1792 static void
1793 next_ldap_entry (struct parse *cfile)
1794 {
1795  struct ldap_config_stack *temp_stack;
1796 
1797  if (ldap_stack != NULL && ldap_stack->close_brace)
1798  {
1799  x_parser_strcat (cfile, "}\n");
1800  ldap_stack->close_brace = 0;
1801  }
1802 
1803  while (ldap_stack != NULL &&
1804  (ldap_stack->ldent == NULL || ( ldap_stack->processed &&
1805  (ldap_stack->ldent = ldap_next_entry (ld, ldap_stack->ldent)) == NULL)))
1806  {
1807  if (ldap_stack->close_brace)
1808  {
1809  x_parser_strcat (cfile, "}\n");
1810  ldap_stack->close_brace = 0;
1811  }
1812 
1813  temp_stack = ldap_stack;
1814  ldap_stack = ldap_stack->next;
1815  free_stack_entry (temp_stack);
1816  }
1817 
1818  if (ldap_stack != NULL && ldap_stack->close_brace)
1819  {
1820  x_parser_strcat (cfile, "}\n");
1821  ldap_stack->close_brace = 0;
1822  }
1823 }
1824 
1825 
1826 static char
1827 check_statement_end (const char *statement)
1828 {
1829  char *ptr;
1830 
1831  if (statement == NULL || *statement == '\0')
1832  return ('\0');
1833 
1834  /*
1835  ** check if it ends with "}", e.g.:
1836  ** "zone my.domain. { ... }"
1837  ** optionally followed by spaces
1838  */
1839  ptr = strrchr (statement, '}');
1840  if (ptr != NULL)
1841  {
1842  /* skip following white-spaces */
1843  for (++ptr; isspace ((int)*ptr); ptr++);
1844 
1845  /* check if we reached the end */
1846  if (*ptr == '\0')
1847  return ('}'); /* yes, block end */
1848  else
1849  return (*ptr);
1850  }
1851 
1852  /*
1853  ** this should not happen, but...
1854  ** check if it ends with ";", e.g.:
1855  ** "authoritative;"
1856  ** optionally followed by spaces
1857  */
1858  ptr = strrchr (statement, ';');
1859  if (ptr != NULL)
1860  {
1861  /* skip following white-spaces */
1862  for (++ptr; isspace ((int)*ptr); ptr++);
1863 
1864  /* check if we reached the end */
1865  if (*ptr == '\0')
1866  return (';'); /* ends with a ; */
1867  else
1868  return (*ptr);
1869  }
1870 
1871  return ('\0');
1872 }
1873 
1874 
1875 static isc_result_t
1876 ldap_parse_entry_options (LDAPMessage *ent, struct parse *cfile,
1877  int *lease_limit)
1878 {
1879  struct berval **tempbv;
1880  int i;
1881 
1882  if (ent == NULL || cfile == NULL)
1883  return (ISC_R_FAILURE);
1884 
1885  if ((tempbv = ldap_get_values_len (ld, ent, "dhcpStatements")) != NULL)
1886  {
1887  for (i=0; tempbv[i] != NULL; i++)
1888  {
1889  if (lease_limit != NULL &&
1890  strncasecmp ("lease limit ", tempbv[i]->bv_val, 12) == 0)
1891  {
1892  *lease_limit = (int) strtol ((tempbv[i]->bv_val) + 12, NULL, 10);
1893  continue;
1894  }
1895 
1896  x_parser_strcat (cfile, tempbv[i]->bv_val);
1897 
1898  switch((int) check_statement_end (tempbv[i]->bv_val))
1899  {
1900  case '}':
1901  case ';':
1902  x_parser_strcat (cfile, "\n");
1903  break;
1904  default:
1905  x_parser_strcat (cfile, ";\n");
1906  break;
1907  }
1908  }
1909  ldap_value_free_len (tempbv);
1910  }
1911 
1912  if ((tempbv = ldap_get_values_len (ld, ent, "dhcpOption")) != NULL)
1913  {
1914  for (i=0; tempbv[i] != NULL; i++)
1915  {
1916  x_parser_strcat (cfile, "option ");
1917  x_parser_strcat (cfile, tempbv[i]->bv_val);
1918  switch ((int) check_statement_end (tempbv[i]->bv_val))
1919  {
1920  case ';':
1921  x_parser_strcat (cfile, "\n");
1922  break;
1923  default:
1924  x_parser_strcat (cfile, ";\n");
1925  break;
1926  }
1927  }
1928  ldap_value_free_len (tempbv);
1929  }
1930 
1931  return (ISC_R_SUCCESS);
1932 }
1933 
1934 
1935 static void
1936 ldap_generate_config_string (struct parse *cfile)
1937 {
1938  struct berval **objectClass;
1939  char *dn;
1940  struct ldap_config_stack *entry;
1941  LDAPMessage * ent, * res, *entfirst, *resfirst;
1942  int i, ignore, found;
1943  int ret, parsedn = 1;
1944  size_t len = cfile->buflen;
1945 
1946  if (ld == NULL)
1947  ldap_start ();
1948  if (ld == NULL)
1949  return;
1950 
1951  entry = ldap_stack;
1952  if ((objectClass = ldap_get_values_len (ld, entry->ldent,
1953  "objectClass")) == NULL)
1954  return;
1955 
1956  entry->processed = 1;
1957  ignore = 0;
1958  found = 1;
1959  for (i=0; objectClass[i] != NULL; i++)
1960  {
1961  if (strcasecmp (objectClass[i]->bv_val, "dhcpSharedNetwork") == 0)
1962  ldap_parse_shared_network (entry, cfile);
1963  else if (strcasecmp (objectClass[i]->bv_val, "dhcpClass") == 0)
1964  ldap_parse_class (entry, cfile);
1965  else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubnet") == 0)
1966  ldap_parse_subnet (entry, cfile);
1967  else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubnet6") == 0)
1968  ldap_parse_subnet6 (entry, cfile);
1969  else if (strcasecmp (objectClass[i]->bv_val, "dhcpPool") == 0)
1970  ldap_parse_pool (entry, cfile);
1971  else if (strcasecmp (objectClass[i]->bv_val, "dhcpPool6") == 0)
1972  ldap_parse_pool6 (entry, cfile);
1973  else if (strcasecmp (objectClass[i]->bv_val, "dhcpGroup") == 0)
1974  ldap_parse_group (entry, cfile);
1975  else if (strcasecmp (objectClass[i]->bv_val, "dhcpTSigKey") == 0)
1976  ldap_parse_key (entry, cfile);
1977  else if (strcasecmp (objectClass[i]->bv_val, "dhcpDnsZone") == 0)
1978  ldap_parse_zone (entry, cfile);
1979 #if defined(HAVE_IFADDRS_H)
1980  else if (strcasecmp (objectClass[i]->bv_val, "dhcpFailOverPeer") == 0)
1981  ldap_parse_failover (entry, cfile);
1982 #endif
1983  else if (strcasecmp (objectClass[i]->bv_val, "dhcpHost") == 0)
1984  {
1985  if (ldap_method == LDAP_METHOD_STATIC)
1986  ldap_parse_host (entry, cfile);
1987  else
1988  {
1989  ignore = 1;
1990  break;
1991  }
1992  }
1993  else if (strcasecmp (objectClass[i]->bv_val, "dhcpSubClass") == 0)
1994  {
1995  if (ldap_method == LDAP_METHOD_STATIC)
1996  ldap_parse_subclass (entry, cfile);
1997  else
1998  {
1999  ignore = 1;
2000  break;
2001  }
2002  }
2003  else
2004  found = 0;
2005 
2006  if (found && x_parser_length(cfile) <= len)
2007  {
2008  ignore = 1;
2009  break;
2010  }
2011  }
2012 
2013  ldap_value_free_len (objectClass);
2014 
2015  if (ignore)
2016  {
2017  next_ldap_entry (cfile);
2018  return;
2019  }
2020 
2021  ldap_parse_entry_options(entry->ldent, cfile, NULL);
2022 
2023  dn = ldap_get_dn (ld, entry->ldent);
2024  if (dn == NULL)
2025  {
2026  ldap_stop();
2027  return;
2028  }
2029 #if defined(DEBUG_LDAP)
2030  log_info ("Found LDAP entry '%s'", dn);
2031 #endif
2032 
2033  if ((ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
2034  "(!(|(|(objectClass=dhcpTSigKey)(objectClass=dhcpClass)) (objectClass=dhcpFailOverPeer)))",
2035  NULL, 0, NULL, NULL,
2036  NULL, 0, &res)) != LDAP_SUCCESS)
2037  {
2038  ldap_memfree (dn);
2039 
2040  ldap_stop();
2041  return;
2042  }
2043 
2044  if ((ret = ldap_search_ext_s (ld, dn, LDAP_SCOPE_ONELEVEL,
2045  "(|(|(objectClass=dhcpTSigKey)(objectClass=dhcpClass)) (objectClass=dhcpFailOverPeer))",
2046  NULL, 0, NULL, NULL,
2047  NULL, 0, &resfirst)) != LDAP_SUCCESS)
2048  {
2049  ldap_memfree (dn);
2050  ldap_msgfree (res);
2051 
2052  ldap_stop();
2053  return;
2054  }
2055 
2056  ldap_memfree (dn);
2057 
2058  ent = ldap_first_entry(ld, res);
2059  entfirst = ldap_first_entry(ld, resfirst);
2060 
2061  if (ent == NULL && entfirst == NULL)
2062  {
2063  parse_external_dns (entry->ldent);
2064  next_ldap_entry (cfile);
2065  }
2066 
2067  if (ent != NULL)
2068  {
2069  add_to_config_stack (res, ent);
2070  parse_external_dns (entry->ldent);
2071  parsedn = 0;
2072  }
2073  else
2074  ldap_msgfree (res);
2075 
2076  if (entfirst != NULL)
2077  {
2078  add_to_config_stack (resfirst, entfirst);
2079  if(parsedn)
2080  parse_external_dns (entry->ldent);
2081 
2082  }
2083  else
2084  ldap_msgfree (resfirst);
2085 }
2086 
2087 
2088 static void
2089 ldap_close_debug_fd()
2090 {
2091  if (ldap_debug_fd != -1)
2092  {
2093  close (ldap_debug_fd);
2094  ldap_debug_fd = -1;
2095  }
2096 }
2097 
2098 
2099 static void
2100 ldap_write_debug (const void *buff, size_t size)
2101 {
2102  if (ldap_debug_fd != -1)
2103  {
2104  if (write (ldap_debug_fd, buff, size) < 0)
2105  {
2106  log_error ("Error writing to LDAP debug file %s: %s."
2107  " Disabling log file.", ldap_debug_file,
2108  strerror (errno));
2109  ldap_close_debug_fd();
2110  }
2111  }
2112 }
2113 
2114 static int
2115 ldap_read_function (struct parse *cfile)
2116 {
2117  size_t len;
2118 
2119  /* append when in saved state */
2120  if (cfile->saved_state == NULL)
2121  {
2122  cfile->inbuf[0] = '\0';
2123  cfile->bufix = 0;
2124  cfile->buflen = 0;
2125  }
2126  len = cfile->buflen;
2127 
2128  while (ldap_stack != NULL && x_parser_length(cfile) <= len)
2129  ldap_generate_config_string (cfile);
2130 
2131  if (x_parser_length(cfile) <= len && ldap_stack == NULL)
2132  return (EOF);
2133 
2134  if (cfile->buflen > len)
2135  ldap_write_debug (cfile->inbuf + len, cfile->buflen - len);
2136 #if defined (DEBUG_LDAP)
2137  log_info ("Sending config portion '%s'", cfile->inbuf + len);
2138 #endif
2139 
2140  return (cfile->inbuf[cfile->bufix++]);
2141 }
2142 
2143 
2144 static char *
2145 ldap_get_host_name (LDAPMessage * ent)
2146 {
2147  struct berval **name;
2148  char *ret;
2149 
2150  ret = NULL;
2151  if ((name = ldap_get_values_len (ld, ent, "cn")) == NULL || name[0] == NULL)
2152  {
2153  if (name != NULL)
2154  ldap_value_free_len (name);
2155 
2156 #if defined (DEBUG_LDAP)
2157  ret = ldap_get_dn (ld, ent);
2158  if (ret != NULL)
2159  {
2160  log_info ("Cannot get cn attribute for LDAP entry %s", ret);
2161  ldap_memfree(ret);
2162  }
2163 #endif
2164  return (NULL);
2165  }
2166 
2167  ret = dmalloc (strlen (name[0]->bv_val) + 1, MDL);
2168  strcpy (ret, name[0]->bv_val);
2169  ldap_value_free_len (name);
2170 
2171  return (ret);
2172 }
2173 
2174 
2175 isc_result_t
2176 ldap_read_config (void)
2177 {
2178  LDAPMessage * ldres, * hostres, * ent, * hostent;
2179  char hfilter[1024], sfilter[1024], fqdn[257];
2180  char *hostdn;
2181  ldap_dn_node *curr = NULL;
2182  struct parse *cfile;
2183  struct utsname unme;
2184  isc_result_t res;
2185  size_t length;
2186  int ret, cnt;
2187  struct berval **tempbv = NULL;
2188  struct berval bv_o[2];
2189 
2190  cfile = x_parser_init("LDAP");
2191  if (cfile == NULL)
2192  return (ISC_R_NOMEMORY);
2193 
2194  ldap_enable_retry = 1;
2195  if (ld == NULL)
2196  ldap_start ();
2197  ldap_enable_retry = 0;
2198 
2199  if (ld == NULL)
2200  {
2201  x_parser_free(&cfile);
2202  return (ldap_server == NULL ? ISC_R_SUCCESS : ISC_R_FAILURE);
2203  }
2204 
2205  uname (&unme);
2206  if (ldap_dhcp_server_cn != NULL)
2207  {
2208  if (_do_ldap_str2esc_filter_bv(ldap_dhcp_server_cn, 0, &bv_o[0]) == NULL)
2209  {
2210  log_error ("Cannot escape ldap filter value %s: %m", ldap_dhcp_server_cn);
2211  x_parser_free(&cfile);
2212  return (ISC_R_FAILURE);
2213  }
2214 
2215  snprintf (hfilter, sizeof (hfilter),
2216  "(&(objectClass=dhcpServer)(cn=%s))", bv_o[0].bv_val);
2217 
2218  ber_memfree(bv_o[0].bv_val);
2219  }
2220  else
2221  {
2222  if (_do_ldap_str2esc_filter_bv(unme.nodename, 0, &bv_o[0]) == NULL)
2223  {
2224  log_error ("Cannot escape ldap filter value %s: %m", unme.nodename);
2225  x_parser_free(&cfile);
2226  return (ISC_R_FAILURE);
2227  }
2228 
2229  *fqdn ='\0';
2230  if(0 == get_host_entry(fqdn, sizeof(fqdn), NULL, 0))
2231  {
2232  if (_do_ldap_str2esc_filter_bv(fqdn, 0, &bv_o[1]) == NULL)
2233  {
2234  log_error ("Cannot escape ldap filter value %s: %m", fqdn);
2235  ber_memfree(bv_o[0].bv_val);
2236  x_parser_free(&cfile);
2237  return (ISC_R_FAILURE);
2238  }
2239  }
2240 
2241  // If we have fqdn and it isn't the same as nodename, use it in filter
2242  // otherwise just use nodename
2243  if ((*fqdn) && (strcmp(unme.nodename, fqdn))) {
2244  snprintf (hfilter, sizeof (hfilter),
2245  "(&(objectClass=dhcpServer)(|(cn=%s)(cn=%s)))",
2246  bv_o[0].bv_val, bv_o[1].bv_val);
2247 
2248  ber_memfree(bv_o[1].bv_val);
2249  }
2250  else
2251  {
2252  snprintf (hfilter, sizeof (hfilter),
2253  "(&(objectClass=dhcpServer)(cn=%s))",
2254  bv_o[0].bv_val);
2255  }
2256 
2257  ber_memfree(bv_o[0].bv_val);
2258  }
2259 
2260  ldap_enable_retry = 1;
2261  do
2262  {
2263  hostres = NULL;
2264  ret = ldap_search_ext_s (ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,
2265  hfilter, NULL, 0, NULL, NULL, NULL, 0,
2266  &hostres);
2267  }
2268  while(_do_ldap_retry(ret, ldap_server, ldap_port) > 0);
2269  ldap_enable_retry = 0;
2270 
2271  if(ret != LDAP_SUCCESS)
2272  {
2273  log_error ("Cannot find host LDAP entry %s %s",
2274  ((ldap_dhcp_server_cn == NULL)?(unme.nodename):(ldap_dhcp_server_cn)), hfilter);
2275  if(NULL != hostres)
2276  ldap_msgfree (hostres);
2277  ldap_stop();
2278  x_parser_free(&cfile);
2279  return (ISC_R_FAILURE);
2280  }
2281 
2282  if ((hostent = ldap_first_entry (ld, hostres)) == NULL)
2283  {
2284  log_error ("Error: Cannot find LDAP entry matching %s", hfilter);
2285  ldap_msgfree (hostres);
2286  ldap_stop();
2287  x_parser_free(&cfile);
2288  return (ISC_R_FAILURE);
2289  }
2290 
2291  hostdn = ldap_get_dn (ld, hostent);
2292 #if defined(DEBUG_LDAP)
2293  if (hostdn != NULL)
2294  log_info ("Found dhcpServer LDAP entry '%s'", hostdn);
2295 #endif
2296 
2297  if (hostdn == NULL ||
2298  (tempbv = ldap_get_values_len (ld, hostent, "dhcpServiceDN")) == NULL ||
2299  tempbv[0] == NULL)
2300  {
2301  log_error ("Error: No dhcp service is associated with the server %s %s",
2302  (hostdn ? "dn" : "name"), (hostdn ? hostdn :
2303  (ldap_dhcp_server_cn ? ldap_dhcp_server_cn : unme.nodename)));
2304 
2305  if (tempbv != NULL)
2306  ldap_value_free_len (tempbv);
2307 
2308  if (hostdn)
2309  ldap_memfree (hostdn);
2310  ldap_msgfree (hostres);
2311  ldap_stop();
2312  x_parser_free(&cfile);
2313  return (ISC_R_FAILURE);
2314  }
2315 
2316 #if defined(DEBUG_LDAP)
2317  log_info ("LDAP: Parsing dhcpServer options '%s' ...", hostdn);
2318 #endif
2319 
2320  res = ldap_parse_entry_options(hostent, cfile, NULL);
2321  if (res != ISC_R_SUCCESS)
2322  {
2323  ldap_value_free_len (tempbv);
2324  ldap_msgfree (hostres);
2325  ldap_memfree (hostdn);
2326  ldap_stop();
2327  x_parser_free(&cfile);
2328  return res;
2329  }
2330 
2331  if (x_parser_length(cfile) > 0)
2332  {
2333  ldap_write_debug(cfile->inbuf, cfile->buflen);
2334 
2335  res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
2336  if (res != ISC_R_SUCCESS)
2337  {
2338  log_error ("LDAP: cannot parse dhcpServer entry '%s'", hostdn);
2339  ldap_value_free_len (tempbv);
2340  ldap_msgfree (hostres);
2341  ldap_memfree (hostdn);
2342  ldap_stop();
2343  x_parser_free(&cfile);
2344  return res;
2345  }
2346  x_parser_reset(cfile);
2347  }
2348  ldap_msgfree (hostres);
2349 
2350  res = ISC_R_SUCCESS;
2351  for (cnt=0; tempbv[cnt] != NULL; cnt++)
2352  {
2353 
2354  if (_do_ldap_str2esc_filter_bv(hostdn, 0, &bv_o[0]) == NULL)
2355  {
2356  log_error ("Cannot escape ldap filter value %s: %m", hostdn);
2357  res = ISC_R_FAILURE;
2358  break;
2359  }
2360 
2361  snprintf(sfilter, sizeof(sfilter), "(&(objectClass=dhcpService)"
2362  "(|(|(dhcpPrimaryDN=%s)(dhcpSecondaryDN=%s))(dhcpServerDN=%s)))",
2363  bv_o[0].bv_val, bv_o[0].bv_val, bv_o[0].bv_val);
2364 
2365  ber_memfree(bv_o[0].bv_val);
2366 
2367  ldres = NULL;
2368  if ((ret = ldap_search_ext_s (ld, tempbv[cnt]->bv_val, LDAP_SCOPE_BASE,
2369  sfilter, NULL, 0, NULL, NULL, NULL,
2370  0, &ldres)) != LDAP_SUCCESS)
2371  {
2372  log_error ("Error searching for dhcpServiceDN '%s': %s. Please update the LDAP entry '%s'",
2373  tempbv[cnt]->bv_val, ldap_err2string (ret), hostdn);
2374  if(NULL != ldres)
2375  ldap_msgfree(ldres);
2376  res = ISC_R_FAILURE;
2377  break;
2378  }
2379 
2380  if ((ent = ldap_first_entry (ld, ldres)) == NULL)
2381  {
2382  log_error ("Error: Cannot find dhcpService DN '%s' with server reference. Please update the LDAP server entry '%s'",
2383  tempbv[cnt]->bv_val, hostdn);
2384 
2385  ldap_msgfree(ldres);
2386  res = ISC_R_FAILURE;
2387  break;
2388  }
2389 
2390  /*
2391  ** FIXME: how to free the remembered dn's on exit?
2392  ** This should be OK if dmalloc registers the
2393  ** memory it allocated and frees it on exit..
2394  */
2395 
2396  curr = dmalloc (sizeof (*curr), MDL);
2397  if (curr != NULL)
2398  {
2399  length = strlen (tempbv[cnt]->bv_val);
2400  curr->dn = dmalloc (length + 1, MDL);
2401  if (curr->dn == NULL)
2402  {
2403  dfree (curr, MDL);
2404  curr = NULL;
2405  }
2406  else
2407  strcpy (curr->dn, tempbv[cnt]->bv_val);
2408  }
2409 
2410  if (curr != NULL)
2411  {
2412  curr->refs++;
2413 
2414  /* append to service-dn list */
2415  if (ldap_service_dn_tail != NULL)
2416  ldap_service_dn_tail->next = curr;
2417  else
2418  ldap_service_dn_head = curr;
2419 
2420  ldap_service_dn_tail = curr;
2421  }
2422  else
2423  log_fatal ("no memory to remember ldap service dn");
2424 
2425 #if defined (DEBUG_LDAP)
2426  log_info ("LDAP: Parsing dhcpService DN '%s' ...", tempbv[cnt]->bv_val);
2427 #endif
2428  add_to_config_stack (ldres, ent);
2429  res = conf_file_subparse (cfile, root_group, ROOT_GROUP);
2430  if (res != ISC_R_SUCCESS)
2431  {
2432  log_error ("LDAP: cannot parse dhcpService entry '%s'", tempbv[cnt]->bv_val);
2433  break;
2434  }
2435  }
2436 
2437  x_parser_free(&cfile);
2438  ldap_close_debug_fd();
2439 
2440  ldap_memfree (hostdn);
2441  ldap_value_free_len (tempbv);
2442 
2443  if (res != ISC_R_SUCCESS)
2444  {
2445  struct ldap_config_stack *temp_stack;
2446 
2447  while ((curr = ldap_service_dn_head) != NULL)
2448  {
2449  ldap_service_dn_head = curr->next;
2450  dfree (curr->dn, MDL);
2451  dfree (curr, MDL);
2452  }
2453 
2454  ldap_service_dn_tail = NULL;
2455 
2456  while ((temp_stack = ldap_stack) != NULL)
2457  {
2458  ldap_stack = temp_stack->next;
2459  free_stack_entry (temp_stack);
2460  }
2461 
2462  ldap_stop();
2463  }
2464 
2465  /* Unbind from ldap immediately after reading config in static mode. */
2466  if (ldap_method == LDAP_METHOD_STATIC)
2467  ldap_stop();
2468 
2469  return (res);
2470 }
2471 
2472 
2473 /* This function will parse the dhcpOption and dhcpStatements field in the LDAP
2474  entry if it exists. Right now, type will be either HOST_DECL or CLASS_DECL.
2475  If we are parsing a HOST_DECL, this always returns 0. If we are parsing a
2476  CLASS_DECL, this will return what the current lease limit is in LDAP. If
2477  there is no lease limit specified, we return 0 */
2478 
2479 static int
2480 ldap_parse_options (LDAPMessage * ent, struct group *group,
2481  int type, struct host_decl *host,
2482  struct class **class)
2483 {
2484  int declaration, lease_limit;
2485  enum dhcp_token token;
2486  struct parse *cfile;
2487  isc_result_t res;
2488  const char *val;
2489 
2490  lease_limit = 0;
2491  cfile = x_parser_init(type == HOST_DECL ? "LDAP-HOST" : "LDAP-SUBCLASS");
2492  if (cfile == NULL)
2493  return (lease_limit);
2494 
2495  /* This block of code will try to find the parent of the host, and
2496  if it is a group object, fetch the options and apply to the host. */
2497  if (type == HOST_DECL)
2498  {
2499  char *hostdn, *basedn, *temp1, *temp2, filter[1024];
2500  LDAPMessage *groupdn, *entry;
2501  int ret;
2502 
2503  hostdn = ldap_get_dn (ld, ent);
2504  if( hostdn != NULL)
2505  {
2506  basedn = NULL;
2507 
2508  temp1 = strchr (hostdn, '=');
2509  if (temp1 != NULL)
2510  temp1 = strchr (++temp1, '=');
2511  if (temp1 != NULL)
2512  temp2 = strchr (++temp1, ',');
2513  else
2514  temp2 = NULL;
2515 
2516  if (temp2 != NULL)
2517  {
2518  struct berval bv_o;
2519 
2520  if (_do_ldap_str2esc_filter_bv(temp1, (temp2 - temp1), &bv_o) == NULL)
2521  {
2522  log_error ("Cannot escape ldap filter value %.*s: %m",
2523  (int)(temp2 - temp1), temp1);
2524  filter[0] = '\0';
2525  }
2526  else
2527  {
2528  snprintf (filter, sizeof(filter),
2529  "(&(cn=%s)(objectClass=dhcpGroup))",
2530  bv_o.bv_val);
2531 
2532  ber_memfree(bv_o.bv_val);
2533  }
2534 
2535  basedn = strchr (temp1, ',');
2536  if (basedn != NULL)
2537  ++basedn;
2538  }
2539 
2540  if (basedn != NULL && *basedn != '\0' && filter[0] != '\0')
2541  {
2542  ret = ldap_search_ext_s (ld, basedn, LDAP_SCOPE_SUBTREE, filter,
2543  NULL, 0, NULL, NULL, NULL, 0, &groupdn);
2544  if (ret == LDAP_SUCCESS)
2545  {
2546  if ((entry = ldap_first_entry (ld, groupdn)) != NULL)
2547  {
2548  res = ldap_parse_entry_options (entry, cfile, &lease_limit);
2549  if (res != ISC_R_SUCCESS)
2550  {
2551  /* reset option buffer discarding any results */
2552  x_parser_reset(cfile);
2553  lease_limit = 0;
2554  }
2555  }
2556  ldap_msgfree( groupdn);
2557  }
2558  }
2559  ldap_memfree( hostdn);
2560  }
2561  }
2562 
2563  res = ldap_parse_entry_options (ent, cfile, &lease_limit);
2564  if (res != ISC_R_SUCCESS)
2565  {
2566  x_parser_free(&cfile);
2567  return (lease_limit);
2568  }
2569 
2570  if (x_parser_length(cfile) == 0)
2571  {
2572  x_parser_free(&cfile);
2573  return (lease_limit);
2574  }
2575 
2576  declaration = 0;
2577  do
2578  {
2579  token = peek_token (&val, NULL, cfile);
2580  if (token == END_OF_FILE)
2581  break;
2582  declaration = parse_statement (cfile, group, type, host, declaration);
2583  } while (1);
2584 
2585  x_parser_free(&cfile);
2586 
2587  return (lease_limit);
2588 }
2589 
2590 
2591 
2592 int
2593 find_haddr_in_ldap (struct host_decl **hp, int htype, unsigned hlen,
2594  const unsigned char *haddr, const char *file, int line)
2595 {
2596  char buf[128], *type_str;
2597  LDAPMessage * res, *ent;
2598  struct host_decl * host;
2599  isc_result_t status;
2600  ldap_dn_node *curr;
2601  char up_hwaddr[20];
2602  char lo_hwaddr[20];
2603  int ret;
2604  struct berval bv_o[2];
2605 
2606  *hp = NULL;
2607 
2608 
2609  if (ldap_method == LDAP_METHOD_STATIC)
2610  return (0);
2611 
2612  if (ld == NULL)
2613  ldap_start ();
2614  if (ld == NULL)
2615  return (0);
2616 
2617  switch (htype)
2618  {
2619  case HTYPE_ETHER:
2620  type_str = "ethernet";
2621  break;
2622  case HTYPE_IEEE802:
2623  type_str = "token-ring";
2624  break;
2625  case HTYPE_FDDI:
2626  type_str = "fddi";
2627  break;
2628  default:
2629  log_info ("Ignoring unknown type %d", htype);
2630  return (0);
2631  }
2632 
2633  /*
2634  ** FIXME: It is not guaranteed, that the dhcpHWAddress attribute
2635  ** contains _exactly_ "type addr" with one space between!
2636  */
2637  snprintf(lo_hwaddr, sizeof(lo_hwaddr), "%s",
2638  print_hw_addr (htype, hlen, haddr));
2639  x_strxform(up_hwaddr, lo_hwaddr, sizeof(up_hwaddr), toupper);
2640 
2641  if (_do_ldap_str2esc_filter_bv(lo_hwaddr, 0, &bv_o[0]) == NULL)
2642  {
2643  log_error ("Cannot escape ldap filter value %s: %m", lo_hwaddr);
2644  return (0);
2645  }
2646  if (_do_ldap_str2esc_filter_bv(up_hwaddr, 0, &bv_o[1]) == NULL)
2647  {
2648  log_error ("Cannot escape ldap filter value %s: %m", up_hwaddr);
2649  ber_memfree(bv_o[0].bv_val);
2650  return (0);
2651  }
2652 
2653  snprintf (buf, sizeof (buf),
2654  "(&(objectClass=dhcpHost)(|(dhcpHWAddress=%s %s)(dhcpHWAddress=%s %s)))",
2655  type_str, bv_o[0].bv_val, type_str, bv_o[1].bv_val);
2656 
2657  ber_memfree(bv_o[0].bv_val);
2658  ber_memfree(bv_o[1].bv_val);
2659 
2660  res = ent = NULL;
2661  for (curr = ldap_service_dn_head;
2662  curr != NULL && *curr->dn != '\0';
2663  curr = curr->next)
2664  {
2665 #if defined (DEBUG_LDAP)
2666  log_info ("Searching for %s in LDAP tree %s", buf, curr->dn);
2667 #endif
2668  ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
2669  NULL, NULL, NULL, 0, &res);
2670 
2671  if(ret == LDAP_SERVER_DOWN)
2672  {
2673  log_info ("LDAP server was down, trying to reconnect...");
2674 
2675  ldap_stop();
2676  ldap_start();
2677  if(ld == NULL)
2678  {
2679  log_info ("LDAP reconnect failed - try again later...");
2680  return (0);
2681  }
2682 
2683  ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL,
2684  0, NULL, NULL, NULL, 0, &res);
2685  }
2686 
2687  if (ret == LDAP_SUCCESS)
2688  {
2689  ent = ldap_first_entry (ld, res);
2690 #if defined (DEBUG_LDAP)
2691  if (ent == NULL) {
2692  log_info ("No host entry for %s in LDAP tree %s",
2693  buf, curr->dn);
2694  }
2695 #endif
2696  while (ent != NULL) {
2697 #if defined (DEBUG_LDAP)
2698  char *dn = ldap_get_dn (ld, ent);
2699  if (dn != NULL)
2700  {
2701  log_info ("Found dhcpHWAddress LDAP entry %s", dn);
2702  ldap_memfree(dn);
2703  }
2704 #endif
2705 
2706  host = (struct host_decl *)0;
2707  status = host_allocate (&host, MDL);
2708  if (status != ISC_R_SUCCESS)
2709  {
2710  log_fatal ("can't allocate host decl struct: %s",
2711  isc_result_totext (status));
2712  ldap_msgfree (res);
2713  return (0);
2714  }
2715 
2716  host->name = ldap_get_host_name (ent);
2717  if (host->name == NULL)
2718  {
2719  host_dereference (&host, MDL);
2720  ldap_msgfree (res);
2721  return (0);
2722  }
2723 
2724  if (!clone_group (&host->group, root_group, MDL))
2725  {
2726  log_fatal ("can't clone group for host %s", host->name);
2727  host_dereference (&host, MDL);
2728  ldap_msgfree (res);
2729  return (0);
2730  }
2731 
2732  ldap_parse_options (ent, host->group, HOST_DECL, host, NULL);
2733 
2734  host->n_ipaddr = *hp;
2735  *hp = host;
2736  ent = ldap_next_entry (ld, ent);
2737  }
2738  if(res)
2739  {
2740  ldap_msgfree (res);
2741  res = NULL;
2742  }
2743  return (*hp != NULL);
2744  }
2745  else
2746  {
2747  if(res)
2748  {
2749  ldap_msgfree (res);
2750  res = NULL;
2751  }
2752 
2753  if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
2754  {
2755  log_error ("Cannot search for %s in LDAP tree %s: %s", buf,
2756  curr->dn, ldap_err2string (ret));
2757  ldap_stop();
2758  return (0);
2759  }
2760 #if defined (DEBUG_LDAP)
2761  else
2762  {
2763  log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
2764  ldap_err2string (ret), buf, curr->dn);
2765  }
2766 #endif
2767  }
2768  }
2769 
2770  return (0);
2771 }
2772 
2773 
2774 int
2775 find_subclass_in_ldap (struct class *class, struct class **newclass,
2776  struct data_string *data)
2777 {
2778  LDAPMessage * res, * ent;
2779  int ret, lease_limit;
2780  isc_result_t status;
2781  ldap_dn_node *curr;
2782  char buf[2048];
2783  struct berval bv_class;
2784  struct berval bv_cdata;
2785  char *hex_1;
2786 
2787  if (ldap_method == LDAP_METHOD_STATIC)
2788  return (0);
2789 
2790  if (ld == NULL)
2791  ldap_start ();
2792  if (ld == NULL)
2793  return (0);
2794 
2795  hex_1 = print_hex_1 (data->len, data->data, 1024);
2796  if (*hex_1 == '"')
2797  {
2798  /* result is a quotted not hex string: ldap escape the original string */
2799  if (_do_ldap_str2esc_filter_bv((const char*)data->data, data->len, &bv_cdata) == NULL)
2800  {
2801  log_error ("Cannot escape ldap filter value %s: %m", hex_1);
2802  return (0);
2803  }
2804  hex_1 = NULL;
2805  }
2806  if (_do_ldap_str2esc_filter_bv(class->name, strlen (class->name), &bv_class) == NULL)
2807  {
2808  log_error ("Cannot escape ldap filter value %s: %m", class->name);
2809  if (hex_1 == NULL)
2810  ber_memfree(bv_cdata.bv_val);
2811  return (0);
2812  }
2813 
2814  snprintf (buf, sizeof (buf),
2815  "(&(objectClass=dhcpSubClass)(cn=%s)(dhcpClassData=%s))",
2816  (hex_1 == NULL ? bv_cdata.bv_val : hex_1), bv_class.bv_val);
2817 
2818  if (hex_1 == NULL)
2819  ber_memfree(bv_cdata.bv_val);
2820  ber_memfree(bv_class.bv_val);
2821 
2822 #if defined (DEBUG_LDAP)
2823  log_info ("Searching LDAP for %s", buf);
2824 #endif
2825 
2826  res = ent = NULL;
2827  for (curr = ldap_service_dn_head;
2828  curr != NULL && *curr->dn != '\0';
2829  curr = curr->next)
2830  {
2831 #if defined (DEBUG_LDAP)
2832  log_info ("Searching for %s in LDAP tree %s", buf, curr->dn);
2833 #endif
2834  ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
2835  NULL, NULL, NULL, 0, &res);
2836 
2837  if(ret == LDAP_SERVER_DOWN)
2838  {
2839  log_info ("LDAP server was down, trying to reconnect...");
2840 
2841  ldap_stop();
2842  ldap_start();
2843 
2844  if(ld == NULL)
2845  {
2846  log_info ("LDAP reconnect failed - try again later...");
2847  return (0);
2848  }
2849 
2850  ret = ldap_search_ext_s (ld, curr->dn, LDAP_SCOPE_SUBTREE, buf,
2851  NULL, 0, NULL, NULL, NULL, 0, &res);
2852  }
2853 
2854  if (ret == LDAP_SUCCESS)
2855  {
2856  if( (ent = ldap_first_entry (ld, res)) != NULL)
2857  break; /* search OK and have entry */
2858 
2859 #if defined (DEBUG_LDAP)
2860  log_info ("No subclass entry for %s in LDAP tree %s",
2861  buf, curr->dn);
2862 #endif
2863  if(res)
2864  {
2865  ldap_msgfree (res);
2866  res = NULL;
2867  }
2868  }
2869  else
2870  {
2871  if(res)
2872  {
2873  ldap_msgfree (res);
2874  res = NULL;
2875  }
2876 
2877  if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
2878  {
2879  log_error ("Cannot search for %s in LDAP tree %s: %s", buf,
2880  curr->dn, ldap_err2string (ret));
2881  ldap_stop();
2882  return (0);
2883  }
2884 #if defined (DEBUG_LDAP)
2885  else
2886  {
2887  log_info ("ldap_search_ext_s returned %s when searching for %s in %s",
2888  ldap_err2string (ret), buf, curr->dn);
2889  }
2890 #endif
2891  }
2892  }
2893 
2894  if (res && ent)
2895  {
2896 #if defined (DEBUG_LDAP)
2897  char *dn = ldap_get_dn (ld, ent);
2898  if (dn != NULL)
2899  {
2900  log_info ("Found subclass LDAP entry %s", dn);
2901  ldap_memfree(dn);
2902  }
2903 #endif
2904 
2905  status = class_allocate (newclass, MDL);
2906  if (status != ISC_R_SUCCESS)
2907  {
2908  log_error ("Cannot allocate memory for a new class");
2909  ldap_msgfree (res);
2910  return (0);
2911  }
2912 
2913  group_reference (&(*newclass)->group, class->group, MDL);
2914  class_reference (&(*newclass)->superclass, class, MDL);
2915  lease_limit = ldap_parse_options (ent, (*newclass)->group,
2916  CLASS_DECL, NULL, newclass);
2917  if (lease_limit == 0)
2918  (*newclass)->lease_limit = class->lease_limit;
2919  else
2920  class->lease_limit = lease_limit;
2921 
2922  if ((*newclass)->lease_limit)
2923  {
2924  (*newclass)->billed_leases =
2925  dmalloc ((*newclass)->lease_limit * sizeof (struct lease *), MDL);
2926  if (!(*newclass)->billed_leases)
2927  {
2928  log_error ("no memory for billing");
2929  class_dereference (newclass, MDL);
2930  ldap_msgfree (res);
2931  return (0);
2932  }
2933  memset ((*newclass)->billed_leases, 0,
2934  ((*newclass)->lease_limit * sizeof (struct lease *)));
2935  }
2936 
2937  data_string_copy (&(*newclass)->hash_string, data, MDL);
2938 
2939  ldap_msgfree (res);
2940  return (1);
2941  }
2942 
2943  if(res) ldap_msgfree (res);
2944  return (0);
2945 }
2946 
2947 int find_client_in_ldap (struct host_decl **hp, struct packet *packet,
2948  struct option_state *state, const char *file, int line)
2949 {
2950  LDAPMessage * res, * ent;
2951  ldap_dn_node *curr;
2952  struct host_decl * host;
2953  isc_result_t status;
2954  struct data_string client_id;
2955  char buf[1024], buf1[1024];
2956  int ret;
2957 
2958  if (ldap_method == LDAP_METHOD_STATIC)
2959  return (0);
2960 
2961  if (ld == NULL)
2962  ldap_start ();
2963  if (ld == NULL)
2964  return (0);
2965 
2966  memset(&client_id, 0, sizeof(client_id));
2967  if (get_client_id(packet, &client_id) != ISC_R_SUCCESS)
2968  return (0);
2969  snprintf(buf, sizeof(buf),
2970  "(&(objectClass=dhcpHost)(dhcpClientId=%s))",
2971  print_hw_addr(0, client_id.len, client_id.data));
2972 
2973  /* log_info ("Searching LDAP for %s (%s)", buf, packet->interface->shared_network->name); */
2974 
2975  res = ent = NULL;
2976  for (curr = ldap_service_dn_head;
2977  curr != NULL && *curr->dn != '\0';
2978  curr = curr->next)
2979  {
2980  snprintf(buf1, sizeof(buf1), "cn=%s,%s", packet->interface->shared_network->name, curr->dn);
2981 #if defined (DEBUG_LDAP)
2982  log_info ("Searching for %s in LDAP tree %s", buf, buf1);
2983 #endif
2984  ret = ldap_search_ext_s (ld, buf1, LDAP_SCOPE_SUBTREE, buf, NULL, 0,
2985  NULL, NULL, NULL, 0, &res);
2986 
2987  if(ret == LDAP_SERVER_DOWN)
2988  {
2989  log_info ("LDAP server was down, trying to reconnect...");
2990 
2991  ldap_stop();
2992  ldap_start();
2993 
2994  if(ld == NULL)
2995  {
2996  log_info ("LDAP reconnect failed - try again later...");
2997  return (0);
2998  }
2999 
3000  ret = ldap_search_ext_s (ld, buf1, LDAP_SCOPE_SUBTREE, buf,
3001  NULL, 0, NULL, NULL, NULL, 0, &res);
3002  }
3003 
3004  if (ret == LDAP_SUCCESS)
3005  {
3006  if( (ent = ldap_first_entry (ld, res)) != NULL) {
3007  log_info ("found entry in search %s", buf1);
3008  break; /* search OK and have entry */
3009  }
3010 
3011 #if defined (DEBUG_LDAP)
3012  log_info ("No subclass entry for %s in LDAP tree %s", buf, curr->dn);
3013 #endif
3014  if(res)
3015  {
3016  ldap_msgfree (res);
3017  res = NULL;
3018  }
3019  }
3020  else
3021  {
3022  if(res)
3023  {
3024  ldap_msgfree (res);
3025  res = NULL;
3026  }
3027 
3028  if (ret != LDAP_NO_SUCH_OBJECT && ret != LDAP_SUCCESS)
3029  {
3030  log_error ("Cannot search for %s in LDAP tree %s: %s", buf,
3031  curr->dn, ldap_err2string (ret));
3032  ldap_stop();
3033  return (0);
3034  }
3035  else
3036  {
3037  log_info ("did not find: %s", buf);
3038  }
3039  }
3040  }
3041 
3042  if (res && ent)
3043  {
3044 #if defined (DEBUG_LDAP)
3045  log_info ("ldap_get_dn %s", curr->dn);
3046  char *dn = ldap_get_dn (ld, ent);
3047  if (dn != NULL)
3048  {
3049  log_info ("Found subclass LDAP entry %s", dn);
3050  ldap_memfree(dn);
3051  } else {
3052  log_info ("DN is null %s", dn);
3053  }
3054 #endif
3055 
3056  host = (struct host_decl *)0;
3057  status = host_allocate (&host, MDL);
3058  if (status != ISC_R_SUCCESS)
3059  {
3060  log_fatal ("can't allocate host decl struct: %s",
3061  isc_result_totext (status));
3062  ldap_msgfree (res);
3063  return (0);
3064  }
3065 
3066  host->name = ldap_get_host_name (ent);
3067  if (host->name == NULL)
3068  {
3069  host_dereference (&host, MDL);
3070  ldap_msgfree (res);
3071  return (0);
3072  }
3073  /* log_info ("Host name %s", host->name); */
3074 
3075  if (!clone_group (&host->group, root_group, MDL))
3076  {
3077  log_fatal ("can't clone group for host %s", host->name);
3078  host_dereference (&host, MDL);
3079  ldap_msgfree (res);
3080  return (0);
3081  }
3082 
3083  ldap_parse_options (ent, host->group, HOST_DECL, host, NULL);
3084 
3085  *hp = host;
3086  ldap_msgfree (res);
3087  return (1);
3088  }
3089  else
3090  {
3091  log_info ("did not find clientid: %s", buf);
3092  }
3093 
3094  if(res) ldap_msgfree (res);
3095  return (0);
3096 
3097 }
3098 
3099 #if defined(LDAP_USE_GSSAPI)
3100 static int
3101 _ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *sin)
3102 {
3103  sasl_interact_t *in;
3104  struct ldap_sasl_instance *ldap_inst = defaults;
3105  int ret = LDAP_OTHER;
3106  size_t size;
3107 
3108  if (ld == NULL || sin == NULL)
3109  return LDAP_PARAM_ERROR;
3110 
3111  log_info("doing interactive bind");
3112  for (in = sin; in != NULL && in->id != SASL_CB_LIST_END; in++) {
3113  switch (in->id) {
3114  case SASL_CB_USER:
3115  log_info("got request for SASL_CB_USER %s", ldap_inst->sasl_authz_id);
3116  size = strlen(ldap_inst->sasl_authz_id);
3117  in->result = ldap_inst->sasl_authz_id;
3118  in->len = size;
3119  ret = LDAP_SUCCESS;
3120  break;
3121  case SASL_CB_GETREALM:
3122  log_info("got request for SASL_CB_GETREALM %s", ldap_inst->sasl_realm);
3123  size = strlen(ldap_inst->sasl_realm);
3124  in->result = ldap_inst->sasl_realm;
3125  in->len = size;
3126  ret = LDAP_SUCCESS;
3127  break;
3128  case SASL_CB_AUTHNAME:
3129  log_info("got request for SASL_CB_AUTHNAME %s", ldap_inst->sasl_authc_id);
3130  size = strlen(ldap_inst->sasl_authc_id);
3131  in->result = ldap_inst->sasl_authc_id;
3132  in->len = size;
3133  ret = LDAP_SUCCESS;
3134  break;
3135  case SASL_CB_PASS:
3136  log_info("got request for SASL_CB_PASS %s", ldap_inst->sasl_password);
3137  size = strlen(ldap_inst->sasl_password);
3138  in->result = ldap_inst->sasl_password;
3139  in->len = size;
3140  ret = LDAP_SUCCESS;
3141  break;
3142  default:
3143  goto cleanup;
3144  }
3145  }
3146  return ret;
3147 
3148 cleanup:
3149  in->result = NULL;
3150  in->len = 0;
3151  return LDAP_OTHER;
3152 }
3153 #endif /* LDAP_USE_GSSAPI */
3154 
3155 
3156 #endif
void data_string_forget(struct data_string *data, const char *file, int line)
Definition: alloc.c:1339
int option_state_allocate(struct option_state **ptr, const char *file, int line)
Definition: alloc.c:846
int option_state_dereference(struct option_state **ptr, const char *file, int line)
Definition: alloc.c:911
int group_reference(struct group **ptr, struct group *bp, const char *file, int line)
Definition: alloc.c:177
void data_string_copy(struct data_string *dest, const struct data_string *src, const char *file, int line)
Definition: alloc.c:1323
enum dhcp_token peek_token(const char **rval, unsigned *rlen, struct parse *cfile)
Definition: conflex.c:443
isc_result_t end_parse(struct parse **cfile)
Definition: conflex.c:103
isc_result_t new_parse(struct parse **cfile, int file, char *inbuf, unsigned buflen, const char *name, int eolp)
Definition: conflex.c:41
struct option_cache * lookup_option(struct universe *universe, struct option_state *options, unsigned code)
Definition: options.c:2503
char * quotify_string(const char *s, const char *file, int line)
Definition: print.c:33
char * print_hw_addr(int htype, const int hlen, const unsigned char *data) const
Definition: print.c:171
#define HAVE_INET_NTOP
Definition: config.h:60
u_int32_t getULong(const unsigned char *)
#define HTYPE_IEEE802
Definition: dhcp.h:76
#define HTYPE_FDDI
Definition: dhcp.h:77
#define HTYPE_ETHER
Definition: dhcp.h:75
isc_result_t get_client_id(struct packet *, struct data_string *)
#define CLASS_DECL
Definition: dhcpd.h:690
int parse_statement(struct parse *, struct group *, int, struct host_decl *, int)
Definition: confpars.c:364
struct universe server_universe
Definition: stables.c:176
isc_result_t conf_file_subparse(struct parse *, struct group *, int)
Definition: confpars.c:250
const char int line
Definition: dhcpd.h:3793
void cleanup(void)
const char * file
Definition: dhcpd.h:3793
#define ROOT_GROUP
Definition: dhcpd.h:686
#define print_hex_1(len, data, limit)
Definition: dhcpd.h:2633
#define HOST_DECL
Definition: dhcpd.h:687
void execute_statements_in_scope(struct binding_value **result, struct packet *packet, struct lease *lease, struct client_state *client_state, struct option_state *in_options, struct option_state *out_options, struct binding_scope **scope, struct group *group, struct group *limiting_group, struct on_star *on_star)
Definition: execute.c:570
dhcp_token
Definition: dhctoken.h:34
@ END_OF_FILE
Definition: dhctoken.h:307
#define ISC_R_SUCCESS
int clone_group(struct group **gp, struct group *group, const char *file, int line)
Definition: memory.c:130
struct group * root_group
Definition: memory.c:31
#define MDL
Definition: omapip.h:567
const char int
Definition: omapip.h:442
void * dmalloc(size_t, const char *, int)
Definition: alloc.c:57
void dfree(void *, const char *, int)
Definition: alloc.c:145
int log_error(const char *,...) __attribute__((__format__(__printf__
void log_fatal(const char *,...) __attribute__((__format__(__printf__
int int log_info(const char *,...) __attribute__((__format__(__printf__
Definition: dhcpd.h:1098
struct group * group
Definition: dhcpd.h:1125
char * name
Definition: dhcpd.h:1102
const unsigned char * data
Definition: tree.h:78
unsigned len
Definition: tree.h:79
Definition: dhcpd.h:958
char * name
Definition: dhcpd.h:974
int flags
Definition: dhcpd.h:987
struct group * group
Definition: dhcpd.h:984
struct host_decl * n_ipaddr
Definition: dhcpd.h:972
struct shared_network * shared_network
Definition: dhcpd.h:1379
Definition: dhcpd.h:560
Definition: dhcpd.h:405
struct interface_info * interface
Definition: dhcpd.h:433
Definition: dhcpd.h:288
size_t buflen
Definition: dhcpd.h:329
size_t bufsiz
Definition: dhcpd.h:330
const char * tlname
Definition: dhcpd.h:294
size_t bufix
Definition: dhcpd.h:329
struct parse * saved_state
Definition: dhcpd.h:332
char * inbuf
Definition: dhcpd.h:328
char * name
Definition: dhcpd.h:1056
int evaluate_option_cache(struct data_string *result, struct packet *packet, struct lease *lease, struct client_state *client_state, struct option_state *in_options, struct option_state *cfg_options, struct binding_scope **scope, struct option_cache *oc, const char *file, int line)
Definition: tree.c:2699
struct binding_scope * global_scope
Definition: tree.c:38