Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h (revision 38033) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -19,11 +19,12 @@ #ifndef _AUTH_EXT_CLI_H_ #define _AUTH_EXT_CLI_H_ +#define ID_LEN 5 #define LINE_LEN 255 #define HOST_LEN 256 #define SECRET_LEN 129 #define EXAUTH_DEF_METHOD "RADIUS" -#define MAX_EXAU_SERVER_NUM 2 +#define MAX_EXAU_SERVER_NUM 3 #define IP_PRESENTATION_LEN 100 /*ip presentation length*/ #define CLI_EXAUTH_ON "admin aaa on" @@ -38,6 +39,7 @@ #define EXAUTH_SERVER_ID1 "es01" #define EXAUTH_SERVER_ID2 "es02" +#define EXAUTH_SERVER_ID3 "es03" #define EXAUTH_METHOD_STRING_RADIUS "RADIUS" #define EXAUTH_METHOD_STRING_TAC_X "TAC_X" @@ -56,7 +58,7 @@ /*the structure for radius server*/ typedef struct exauth_server { - char id[5]; + char id[ID_LEN]; char host[HOST_LEN]; unsigned short port; char secret[SECRET_LEN]; Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c (revision 38033) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -149,9 +149,14 @@ { g_exauth_conf.exau_method = METHOD_TAC_X; } + else if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAP) == 0) + { + g_exauth_conf.exau_method = METHOD_LDAP; + } + else { - printf ("%s | %s\n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X); + printf ("%s | %s |%s\n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP); } /*update conf to shared mem*/ @@ -168,7 +173,7 @@ char *str_num = NULL, *ep = NULL; - if (id == NULL || host == NULL || secret == NULL) + if (id == NULL || host == NULL) { printf ("%s failed\n",CLI_EXAUTH_SERVER); return -1; @@ -177,9 +182,9 @@ get_auth_conf(&shm_p, &g_exauth_conf); /*invalid server id, should be "es01" or "es02"*/ - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) { - printf ("%s | %s\n", EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + printf ("%s | %s |%s\n", EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); return 0; } @@ -196,6 +201,10 @@ { strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID2); } + if (id_num == 2) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID3); + } /*assign host*/ /*the libradius and libtacplus can resolve host name to either ipv4 or ipv6 address*/ @@ -206,13 +215,20 @@ g_exauth_conf.exauth_servers[id_num].port = port; /*assign secret*/ - if (strncmp(cipher_flag, AAA_SECRET_ENCRYPTED, sizeof(AAA_SECRET_ENCRYPTED)) == 0) { - decrypt_secret((unsigned char *)secret, (unsigned char *)secret); - } - strncpy(g_exauth_conf.exauth_servers[id_num].secret, secret, SECRET_LEN - 1); - g_exauth_conf.exauth_servers[id_num].secret[SECRET_LEN - 1] = '\0'; - - + /* assign secret only if it's not LDAP */ + if (secret != NULL && secret[0] != '\0') { + if (g_exauth_conf.exau_method == METHOD_LDAP) { + printf("ERROR: Secret is not applicable for LDAP configuration.\n"); + return -1; + } + else { + if (strncmp(cipher_flag, AAA_SECRET_ENCRYPTED, sizeof(AAA_SECRET_ENCRYPTED)) == 0) { + decrypt_secret((unsigned char *)secret, (unsigned char *)secret); + } + strncpy(g_exauth_conf.exauth_servers[id_num].secret, secret, SECRET_LEN - 1); + g_exauth_conf.exauth_servers[id_num].secret[SECRET_LEN - 1] = '\0'; + } + } /*assign timeout and maxretyr*/ if (g_exauth_conf.exau_method == METHOD_RADIUS) { @@ -252,9 +268,9 @@ return -1; } - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) { - printf ("%s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + printf ("%s | %s |%s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); return 0; } @@ -312,6 +328,10 @@ printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; + default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); return -1; @@ -320,16 +340,27 @@ /*show admin aaa server*/ for (i=0; i < MAX_EXAU_SERVER_NUM; i++) { - if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') - { - printf ("%s %s \"%s\" %d \"%s\"\n", - CLI_EXAUTH_SERVER, - g_exauth_conf.exauth_servers[i].id, - g_exauth_conf.exauth_servers[i].host, - g_exauth_conf.exauth_servers[i].port, - "*****" - ); - } + if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') + { + if (g_exauth_conf.exau_method == METHOD_LDAP) + { + printf ("%s %s \"%s\" %d\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + } + else + { + printf ("%s %s \"%s\" %d \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + "*****" + ); + } + } } return 0; @@ -413,6 +444,10 @@ buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; + default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); return NULL; @@ -420,20 +455,31 @@ /*show admin aaa server*/ for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) - { - if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') - { - encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); - buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", - CLI_EXAUTH_SERVER, - g_exauth_conf.exauth_servers[i].id, - g_exauth_conf.exauth_servers[i].host, - g_exauth_conf.exauth_servers[i].port, - encrypted_secret, - AAA_SECRET_ENCRYPTED - ); - } - } - } + { + if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') + { + if (g_exauth_conf.exau_method == METHOD_LDAP) + { + buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + } + else + { + encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); + buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + encrypted_secret, + AAA_SECRET_ENCRYPTED + ); + } + } + } + } return conf_buf; } Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm (revision 38033) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm (working copy) @@ -45498,7 +45498,7 @@ function_name => "exauth_method", function_args => [{ type => "STRING", - help_string => "method name(RADIUS or TAC_X, default is RADIUS)", + help_string => "method name(RADIUS or TAC_X or LDAP, default is RADIUS)", optional => "YES", default_value => "\"RADIUS\"", },], @@ -45513,7 +45513,7 @@ function_name => "exauth_server", function_args => [{ type => "STRING", - help_string => "id, es01 or es02(if server es01 is down, request will be sent to server es02)", + help_string => "id, es01 or es02 or es03(if server es01 is down, request will be sent to server es02 or es03)", optional => "NO", }, { @@ -45528,7 +45528,7 @@ }, { type => "STRING", - help_string => "Secret", + help_string => "Secret (Secret is only for radius & tacacs,not applicable for ldap)", optional => "YES", default_value => "\"\"", },