Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "portable.h" /* need to ./configure openldap source to get this file */
- #include <stdio.h>
- #include <lber.h>
- #include <lber_pvt.h> /* BER_BVC definition */
- #include "lutil.h"
- #include <ldap_pvt_thread.h>
- #include <ac/string.h>
- #include <ac/unistd.h>
- #include <freeradius-client.h>
- static LUTIL_PASSWD_CHK_FUNC chk_radius;
- static const struct berval scheme = BER_BVC("{RADIUS}");
- static ldap_pvt_thread_mutex_t libradius_mutex;
- /* these taken from freeradius 1.1.7 as they don't exist in 1.1.6 */
- #define RC_CONFIG_FILE "/etc/radiusclient/radiusclient.conf"
- /* this value was 4096 hard-coded for char msg[] below */
- #define PW_MAX_MSG_SIZE 4096
- static int chk_radius (const struct berval *sc, const struct berval *passwd, const struct berval *cred, const char **text )
- {
- unsigned int i;
- int rc = LUTIL_PASSWD_ERR; /* default to password error */
- int result = 0;
- char username[128];
- char user_pass [AUTH_PASS_LEN + 1];
- VALUE_PAIR *send, *receive;
- uint32_t service;
- char msg[PW_MAX_MSG_SIZE];
- char username_realm[256];
- char *default_realm;
- rc_handle *rh;
- fprintf(stderr, "chk_radius(): start\n");
- for ( i = 0; i < cred->bv_len; i++ )
- {
- if ( cred->bv_val[ i ] == '\0' )
- {
- return LUTIL_PASSWD_ERR; /* NUL character in cred */
- }
- }
- if ( cred->bv_val[ i ] != '\0' )
- {
- return LUTIL_PASSWD_ERR; /* cred must behave like a string */
- }
- for ( i = 0; i < passwd->bv_len; i++ )
- {
- if ( passwd->bv_val[ i ] == '\0' )
- {
- return LUTIL_PASSWD_ERR; /* NUL character in password */
- }
- }
- if ( passwd->bv_val[ i ] != '\0' )
- {
- return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
- }
- ldap_pvt_thread_mutex_lock( &libradius_mutex );
- if ((rh = rc_read_config(RC_CONFIG_FILE)) == NULL)
- {
- fprintf(stderr, "chk_radius(): RC_CONFIG_FILE error \n");
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- if (rc_read_dictionary(rh, rc_conf_str(rh, "dictionary")) != 0)
- {
- fprintf(stderr, "chk_radius(): dictionary error \n");
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- default_realm = rc_conf_str(rh, "default_realm");
- send = NULL;
- /* setup username and pass as sent from ldap */
- snprintf (username, sizeof(username), "%s", passwd->bv_val);
- snprintf (user_pass, sizeof(user_pass), "%s", cred->bv_val);
- result = radtest (username, user_pass);
- /* Fill in User-Name */
- snprintf (username_realm, sizeof(username_realm), "%s", username);
- /* Append default realm */
- if ((strchr(username_realm, '@') == NULL) && default_realm && (*default_realm != '\0'))
- {
- strncat(username_realm, "@", sizeof(username_realm)-strlen(username_realm)-1);
- strncat(username_realm, default_realm, sizeof(username_realm)-strlen(username_realm)-1);
- }
- if (rc_avpair_add(rh, &send, PW_USER_NAME, username_realm, -1, 0) == NULL)
- {
- fprintf(stderr, "chk_radius(): adding username failed (%s)\n", username);
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- /* Fill in User-Password */
- if (rc_avpair_add(rh, &send, PW_USER_PASSWORD, user_pass, -1, 0) == NULL)
- {
- fprintf(stderr, "chk_radius(): auth for %s failed\n", username);
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- /* Fill in Service-Type */
- service = PW_AUTHENTICATE_ONLY;
- if (rc_avpair_add(rh, &send, PW_SERVICE_TYPE, &service, -1, 0) == NULL)
- {
- fprintf(stderr, "chk_radius(): error setting PW_SERVICE_TYPE\n");
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- fprintf(stderr, "chk_radius(): calling rc_auth()");
- // 2016-02-01 - dak - seems to be bombing here occasionally
- result = rc_auth(rh, 0, send, &receive, msg);
- fprintf(stderr, "chk_radius(): rc_auth() completed");
- if (receive == NULL)
- {
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return LUTIL_PASSWD_ERR;
- }
- else
- rc_avpair_free(receive);
- /* return OK if auth succes, otherwise fail */
- if (result == OK_RC)
- {
- fprintf(stderr, "chk_radius(): \"%s\" RADIUS Authentication OK\n", username);
- rc = LUTIL_PASSWD_OK;
- }
- else
- {
- fprintf(stderr, "chk_radius():\"%s\" RADIUS Authentication failure (RC=%i)\n", username, result);
- }
- ldap_pvt_thread_mutex_unlock( &libradius_mutex );
- return rc;
- }
- int term_module()
- {
- fprintf(stderr, "term_module(): pw-freeradiusclient\n");
- return ldap_pvt_thread_mutex_destroy( &libradius_mutex );
- }
- int init_module( int argc, char *argv[] )
- {
- fprintf(stderr, "init_module(): pw-freeradiusclient\n");
- ldap_pvt_thread_mutex_init( &libradius_mutex );
- return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL );
- }
Add Comment
Please, Sign In to add comment