Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.h =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.h (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.h (working copy) @@ -26,6 +26,7 @@ #define RAD_AUTH_PORT 1812 #define RAD_DEF_TIMEOUT 5 #define RAD_DEF_RETRIES 2 +#define LDAP_DEF_RETRIES 2 #define EXT_AUTH_OFF 0 Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.c =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.c (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext.c (working copy) @@ -198,7 +198,6 @@ return EXT_AUTH_FAILED; } - /*authenticate ldap servers*/ for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { if (g_exauth_conf.exauth_servers[i].id && @@ -225,6 +224,11 @@ to.tv_usec = 0; int ret_value = EXT_AUTH_FAILED; int i = server_num; + LDAPMessage *answer, *entry; + char *attrs[] = {"memberOf", NULL}; + int attrsonly = 0; + int entries_found = 0; + if (username == NULL || password == NULL) { return EXT_AUTH_FAILED; } @@ -233,34 +237,76 @@ g_exauth_conf.exauth_servers[i].port); if ( ldap_initialize(&ldap, ldap_uri) != LDAP_SUCCESS ) { exau_log( "ldap_init failed" ); - return ret_value; + return EXT_AUTH_FAILED; } else { exau_log("Generated LDAP handle for uri %s.\n", ldap_uri); } - if (ldap_set_option(ldap, LDAP_OPT_TIMEOUT,&to) != LDAP_SUCCESS ) { - return ret_value; + return EXT_AUTH_FAILED; } if (ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT,&to) != LDAP_SUCCESS ) { - return ret_value; + return EXT_AUTH_FAILED; } if (ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version) != LDAP_SUCCESS ) { - return ret_value; + return EXT_AUTH_FAILED; + } + // This is AD bug, if password is blank it allows tp login + if (strlen(password) == 0) { + return EXT_AUTH_FAILED; } msgid = ldap_simple_bind_s(ldap, username, password); if ( msgid != LDAP_SUCCESS ) { exau_log("LDAP login failed for user %s.\n", username); - return ret_value; + return EXT_AUTH_FAILED; } else { exau_log("LDAP login successful for user %s.\n", username); ret_value = EXT_AUTH_PASS_CONFIG; } - ldap_unbind_ext_s(ldap, NULL, NULL); + // authorization off then will not do authorization only authentication + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_OFF){ + exau_log("LDAP authorization off for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + ldap_unbind(ldap); + return ret_value; + } + //authorization block + char search_string[1024]; + if (strstr(username, "@")) { + sprintf(search_string,"\(\&\(userPrincipalName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } else { + sprintf(search_string,"\(\&\(sAMAccountName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } + + msgid = ldap_search_s(ldap, g_exauth_conf.exauth_servers[i].dn, LDAP_SCOPE_SUBTREE, search_string, + attrs, attrsonly, &answer); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAP search failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAP search successful for user %s.\n", username); + } + + /* Return the number of objects found during the search */ + entries_found = ldap_count_entries(ldap, answer); + if ( entries_found == 0 ) { + exau_log("LDAP authorization failed for user %s.\n", username); + ret_value = EXT_AUTH_PASS_ENABLE; // if authorization failed then not allow to do any change + } else { + ret_value = EXT_AUTH_PASS_CONFIG; + printf("LDAP authorization success for user %s.\n", username); + } + if (ret_value != EXT_AUTH_PASS_CONFIG) { + ret_value = EXT_AUTH_PASS_ENABLE; + } + + ldap_msgfree(answer); + ldap_unbind(ldap); return ret_value; } Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -21,9 +21,11 @@ #define LINE_LEN 255 #define HOST_LEN 256 +#define DN_LEN 256 +#define MEMBEROF_LEN 256 #define SECRET_LEN 129 #define EXAUTH_DEF_METHOD "RADIUS" -#define MAX_EXAU_SERVER_NUM 2 +#define MAX_EXAU_SERVER_NUM 3 #define IP_PRESENTATION_LEN 100 /*ip presentation length*/ #define CLI_EXAUTH_ON "admin aaa on" @@ -38,6 +40,7 @@ #define EXAUTH_SERVER_ID1 "es01" #define EXAUTH_SERVER_ID2 "es02" +#define EXAUTH_SERVER_ID3 "es03" #define EXAUTH_METHOD_STRING_RADIUS "RADIUS" #define EXAUTH_METHOD_STRING_TAC_X "TAC_X" @@ -62,6 +65,8 @@ char secret[SECRET_LEN]; unsigned short timeout; unsigned short max_retry; + char dn[DN_LEN]; + char memberOf[MEMBEROF_LEN]; } exauth_server_t; /*the structure wrapper*/ @@ -70,7 +75,7 @@ int external_authorize_on; int ext_auth_priority; enum_exau_method exau_method; - exauth_server_t exauth_servers[2]; + exauth_server_t exauth_servers[3]; } exauth_conf_t; /*turn on external authentication*/ Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -149,9 +149,13 @@ { g_exauth_conf.exau_method = METHOD_TAC_X; } + else if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAP) == 0) + { + g_exauth_conf.exau_method = METHOD_LDAP; + } else { - printf ("%s | %s\n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X); + printf ("%s | %s | %s \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP); } /*update conf to shared mem*/ @@ -160,15 +164,15 @@ return 0; } -/*configure an exauth server*/ -int -exauth_server(char *id, char *host, uint16_t port, char *secret, char *cipher_flag) +/*configure an exauth ldap server*/ +int +exauth_ldap_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) { int id_num = -1; char *str_num = NULL, *ep = NULL; - if (id == NULL || host == NULL || secret == NULL) + if (id == NULL || host == NULL || dn == NULL || memberOf == NULL) { printf ("%s failed\n",CLI_EXAUTH_SERVER); return -1; @@ -177,63 +181,112 @@ get_auth_conf(&shm_p, &g_exauth_conf); /*invalid server id, should be "es01" or "es02"*/ - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + if (strcmp(id, EXAUTH_SERVER_ID3)) { - printf ("%s | %s\n", EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + printf ("%s \n", EXAUTH_SERVER_ID3); return 0; } - + /*assign id*/ str_num = id + 3; id_num = (int)strtol(str_num, &ep,10) - 1; - if (id_num == 0) - { - strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID1); - } - - if (id_num == 1) - { - strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID2); - } + if (id_num == 2) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID3); + } /*assign host*/ - /*the libradius and libtacplus can resolve host name to either ipv4 or ipv6 address*/ strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); /*assign port*/ - /*if port == 0, the default value in libradius is 1812 for radius authen and in libtacplus is 49 for tacacs+ authen*/ g_exauth_conf.exauth_servers[id_num].port = port; + /*assign dn*/ + strncpy(g_exauth_conf.exauth_servers[id_num].dn, dn, DN_LEN); - /*assign secret*/ - if (strncmp(cipher_flag, AAA_SECRET_ENCRYPTED, sizeof(AAA_SECRET_ENCRYPTED)) == 0) { - decrypt_secret((unsigned char *)secret, (unsigned char *)secret); - } - strncpy(g_exauth_conf.exauth_servers[id_num].secret, secret, SECRET_LEN - 1); - g_exauth_conf.exauth_servers[id_num].secret[SECRET_LEN - 1] = '\0'; + /*assign memberOf*/ + strncpy(g_exauth_conf.exauth_servers[id_num].memberOf, memberOf, MEMBEROF_LEN); + g_exauth_conf.exauth_servers[id_num].max_retry = LDAP_DEF_RETRIES; + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} - /*assign timeout and maxretyr*/ - if (g_exauth_conf.exau_method == METHOD_RADIUS) - { - g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT; - } +/*configure an exauth server*/ +int +exauth_radius_server(char *id, char *host, uint16_t port, char *secret, char *cipher_flag) +{ + int id_num = -1; + char *str_num = NULL, *ep = NULL; - /* - * for tac_x, since there is no maxretry parameter - * use RAD_DEF_TIMEOUT * RAD_DEF_RETRIES as the timeout instead - */ - if (g_exauth_conf.exau_method == METHOD_TAC_X) - { - g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT * RAD_DEF_RETRIES; - } - g_exauth_conf.exauth_servers[id_num].max_retry = RAD_DEF_RETRIES; + if (id == NULL || host == NULL || secret == NULL) + { + printf ("%s failed\n",CLI_EXAUTH_SERVER); + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + + /*invalid server id, should be "es01" or "es02"*/ + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + { + printf ("%s | %s\n", EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + return 0; + } + + /*assign id*/ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep,10) - 1; + + if (id_num == 0) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID1); + } + + if (id_num == 1) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID2); + } + + /*assign host*/ + /*the libradius and libtacplus can resolve host name to either ipv4 or ipv6 address*/ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /*assign port*/ + /*if port == 0, the default value in libradius is 1812 for radius authen and in libtacplus is 49 for tacacs+ authen*/ + g_exauth_conf.exauth_servers[id_num].port = port; + + /*assign secret*/ + if (strncmp(cipher_flag, AAA_SECRET_ENCRYPTED, sizeof(AAA_SECRET_ENCRYPTED)) == 0) { + decrypt_secret((unsigned char *)secret, (unsigned char *)secret); + } + strncpy(g_exauth_conf.exauth_servers[id_num].secret, secret, SECRET_LEN - 1); + g_exauth_conf.exauth_servers[id_num].secret[SECRET_LEN - 1] = '\0'; + + + /*assign timeout and maxretyr*/ + if (g_exauth_conf.exau_method == METHOD_RADIUS) + { + g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT; + } + + /* + * for tac_x, since there is no maxretry parameter + * use RAD_DEF_TIMEOUT * RAD_DEF_RETRIES as the timeout instead + */ + if (g_exauth_conf.exau_method == METHOD_TAC_X) + { + g_exauth_conf.exauth_servers[id_num].timeout = RAD_DEF_TIMEOUT * RAD_DEF_RETRIES; + } + g_exauth_conf.exauth_servers[id_num].max_retry = RAD_DEF_RETRIES; - /*update conf to shared mem*/ - set_auth_conf(&shm_p, &g_exauth_conf); - return 0; + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; } @@ -252,9 +305,9 @@ return -1; } - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) { - printf ("%s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + printf ("%s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); return 0; } @@ -311,6 +364,10 @@ case METHOD_TAC_X: printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; + default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -322,13 +379,24 @@ { if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { - printf ("%s %s \"%s\" %d \"%s\"\n", + if (g_exauth_conf.exau_method == METHOD_LDAP) { + printf ("%s ldap %s \"%s\" %d \"%s\" \"%s\" \n", CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, g_exauth_conf.exauth_servers[i].port, - "*****" + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf ); + } else { + printf ("%s radius %s \"%s\" %d \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + "*****" + ); + } } } @@ -401,7 +469,6 @@ } else { buf_offset += sprintf(conf_buf + buf_offset, "%s\n", CLI_EXAUTHORIZE_OFF); } - /*show admin aaa method*/ switch(g_exauth_conf.exau_method) { @@ -412,6 +479,9 @@ case METHOD_TAC_X: buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -423,15 +493,26 @@ { if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { + if (g_exauth_conf.exau_method == METHOD_LDAP) { + buf_offset += sprintf (conf_buf + buf_offset, "%s ldap %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else { encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); - buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", - CLI_EXAUTH_SERVER, + buf_offset += sprintf (conf_buf + buf_offset, "%s radius %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, g_exauth_conf.exauth_servers[i].port, encrypted_secret, AAA_SECRET_ENCRYPTED ); + } } } } Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libparser/commands.pm (working copy) @@ -45498,22 +45498,31 @@ function_name => "exauth_method", function_args => [{ type => "STRING", - help_string => "method name(RADIUS or TAC_X, default is RADIUS)", + help_string => "method name(RADIUS or TAC_X or LDAP, default is RADIUS)", optional => "YES", default_value => "\"RADIUS\"", },], }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, { obj_type => "ITEM", - name => "server", - menu => "root_admin_aaa", + name => "radius", + menu => "root_admin_server_aaa", help_string => "Configure external authentication server", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", user_level => "CLI_LEVEL_CONFIG", - function_name => "exauth_server", + function_name => "exauth_radius_server", function_args => [{ type => "STRING", - help_string => "id, es01 or es02(if server es01 is down, request will be sent to server es02)", + help_string => "id, es01 or es02 (if server es01 is down, request will be sent to server es02)", optional => "NO", }, { @@ -45538,6 +45547,43 @@ optional => "YES", default_value => "\"\"", }, + ], + }, + { + obj_type => "ITEM", + name => "ldap", + menu => "root_admin_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_ldap_server", + function_args => [{ + type => "STRING", + help_string => "id, es03(request will be sent to server es03)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "dn (Ex. OU=Eng,dc=example,dc=in)", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "memberOf (Ex. CN=Engineering,DC=example,DC=in)", + optional => "YES", + default_value => "\"\"", + }, ], }, { Index: /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libpyexauth/pyexauth_build.py =================================================================== --- /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (revision 38049) +++ /branches/rel_apv_10_4_0_112_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (working copy) @@ -24,7 +24,7 @@ """, include_dirs=["../libexauth", "../libpyauth"], library_dirs=["../libexauth", "../libfastlog", "../libbsd", "../libpyauth", "../libuinet-atcp/lib/libuinet_sysctl", "../libuinet-atcp/lib/libuinet", "../libuinet-atcp/lib/libuinetnv"], - libraries=["exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) + libraries=["ldap", "exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) if __name__ == "__main__": ffi.compile()