Re: [squid-users] LDAP, Squid, and ssl

From: Michael Cunningham <archive@dont-contact.us>
Date: Wed, 12 Dec 2001 20:29:48 -0500 (EST)

Folks,

With a lot of pain I was able to create this
patch to squid_ldap_auth.c that adds in TLS support.
It works well buts its ugly:) Havent coded C in years..
Feel free to clean it up and include it in the next
release if you want. Should probably include plain old
ssl support as well but I dont need to at the moment.

Thanks.. Mike Cunningham

###########################################################

*** squid_ldap_auth.c.orig Wed Dec 12 16:38:23 2001
--- squid_ldap_auth.c Wed Dec 12 20:08:53 2001
***************
*** 11,20 ****
   *
   * Usage: squid_ldap_auth -b basedn [-s searchscope]
   * [-f searchfilter] [-D binddn -w bindpasswd]
! * [-u attr] [-p] [-R] <ldap_server_name>
   *
   * Dependencies: You need to get the OpenLDAP libraries
! * from http://www.openldap.org
   *
   * License: squid_ldap_auth is free software; you can redistribute it
   * and/or modify it under the terms of the GNU General Public License
--- 11,23 ----
   *
   * Usage: squid_ldap_auth -b basedn [-s searchscope]
   * [-f searchfilter] [-D binddn -w bindpasswd]
! * [-u attr] [-p] [-R] [-v] [-z] <ldap_server_name>
   *
   * Dependencies: You need to get the OpenLDAP libraries
! * from http://www.openldap.org,
! *
! * If you want to make a TLS enabled
! * connection you will also need the openssl libraries linked into openldap
   *
   * License: squid_ldap_auth is free software; you can redistribute it
   * and/or modify it under the terms of the GNU General Public License
***************
*** 22,27 ****
--- 25,32 ----
   * or (at your option) any later version.
   *
   * Changes:
+ * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
+ - Added TLS support and partial ldap version 3 support.
   * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
   * - Be consistent with the other helpers in how
   * spaces are managed. If there is space characters
***************
*** 62,67 ****
--- 67,76 ----
  static int noreferrals = 0;
  static int aliasderef = LDAP_DEREF_NEVER;
  
+ /* Added for TLS support and version 3 */
+ static int use_tls = 0;
+ static int version = -1;
+
  static int checkLDAP(LDAP * ld, char *userid, char *password);
  
  /* Yuck.. we need to glue to different versions of the API */
***************
*** 117,122 ****
--- 126,132 ----
          switch(option) {
          case 'p':
          case 'R':
+ case 'z':
              break;
          default:
              if (strlen(argv[1]) > 2) {
***************
*** 175,183 ****
--- 185,215 ----
          case 'p':
                  persistent = !persistent;
                  break;
+ case 'v':
+ switch( atoi(value) ) {
+ case 2:
+ version = LDAP_VERSION2;
+ break;
+ case 3:
+ version = LDAP_VERSION3;
+ break;
+ default:
+ fprintf( stderr, "Protocol version should be 2 or 3\n");
+ exit(1);
+ } break;
+
          case 'R':
                  noreferrals = !noreferrals;
                  break;
+ case 'z':
+ if ( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "-z incompatible with version %d\n",
+ version );
+ exit(1);
+ }
+ version = LDAP_VERSION3;
+ use_tls = !use_tls;
+ break;
          default:
                  fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
                  exit(1);
***************
*** 193,199 ****
--- 225,233 ----
          fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
          fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
          fprintf(stderr, "\t-p\t\t\tpersistent LDAP connection\n");
+ fprintf(stderr, "\t-v\t\t\tProtocol version - defaults to 2\n");
          fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
+ fprintf(stderr, "\t-z\t\t\tUse TLS for the LDAP connection - requires protocol ver 3\n");
          fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
          fprintf(stderr, "\n");
          fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
***************
*** 218,223 ****
--- 252,275 ----
                      ldapServer, LDAP_PORT);
                  exit(1);
              }
+
+ if (version == -1 ) {
+ version = LDAP_VERSION2;
+ }
+
+ if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
+ != LDAP_OPT_SUCCESS )
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
+ version );
+ exit(1);
+ }
+
+ if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
+ fprintf( stderr, "Could not Activate TLS connection\n");
+ exit(1);
+ }
+
              squid_ldap_set_referrals(ld, !noreferrals);
              squid_ldap_set_aliasderef(ld, aliasderef);
          }
Received on Wed Dec 12 2001 - 18:33:48 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:20 MST