Index: /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (working copy) @@ -796,7 +796,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog + +synconfigd$(EXEEXT): sshd$(EXEEXT) + /bin/cp sshd$(EXEEXT) $@ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (working copy) @@ -5,10 +5,14 @@ INCS= auth_ext.h auth_ext_cli.h auth_ext_ipc.h radlib.h taclib.h CFLAGS+=-I${.CURDIR} \ - -I${.CURDIR}/../../lib/libfastlog + -I${.CURDIR}/../../lib/libfastlog \ + -I${.CURDIR}/../../lib/libbsd .if defined(USTACK) CFLAGS += -fPIC .endif -.include +LDADD=-L${.OBJDIR}/../../lib/libbsd -lbsd \ + -lmd -lcrypt -lcrypto -lpthread -lldap -llber -lhiredis -lutil + +.include Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h (working copy) @@ -26,7 +26,7 @@ #define RAD_AUTH_PORT 1812 #define RAD_DEF_TIMEOUT 5 #define RAD_DEF_RETRIES 2 - +#define LDAP_DEF_RETRIES 2 #define EXT_AUTH_OFF 0 #define EXT_AUTH_ON 1 @@ -101,6 +101,9 @@ /*authenticate with external tacacs+ server*/ int external_auth_tacx(char *username, char *password); +/*authenticate with external ldap server*/ +int external_auth_ldap(char *username, char *password); + /*check the return type of tacacs+ server*/ int check_tac_x_type(int ret_type, char *buf); Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (working copy) @@ -32,7 +32,7 @@ #include #include #include - +#include #include "auth_ext.h" #include "auth_ext_cli.h" #include "auth_ext_ipc.h" @@ -81,6 +81,10 @@ sprintf(buf, "%s", EXAUTH_METHOD_STRING_TAC_X); } + if (g_exauth_conf.exau_method == METHOD_LDAP) { + sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAP); + } + return 0; } @@ -171,6 +175,10 @@ return external_auth_tacx(username, password); break; + case METHOD_LDAP: + return external_auth_ldap(username, password); + break; + default: exau_log("external_auth: no authenticaion method found"); return EXT_AUTH_FAILED; @@ -181,6 +189,124 @@ } +int +external_auth_ldap(char *username, char *password) +{ + /*the return value of ldap response type*/ + int ret_value = EXT_AUTH_FAILED; + int i; + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + /*authenticate ldap servers*/ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && + g_exauth_conf.exauth_servers[i].id[0] != '\0') { + ret_value = external_auth_one_ldap(i, username, password); + if ((ret_value == EXT_AUTH_PASS_CONFIG) || + (ret_value == EXT_AUTH_PASS_ENABLE)) { + break; + } + } + } + return ret_value; +} +int +external_auth_one_ldap(int server_num, char *username, char *password) +{ + LDAP *ldap; + struct timeval to; + int ldap_version = LDAP_VERSION3; + int msgid = 0; + to.tv_sec = 600; + to.tv_usec = 0; + int ret_value = EXT_AUTH_FAILED; + int i = server_num; + LDAPMessage *answer, *entry; + char *attrs[] = {"memberOf", NULL}; + int attrsonly = 0; + int entries_found = 0; + + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + char ldap_uri[1024]; + sprintf(ldap_uri,"ldap://%s:%d",g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + if ( ldap_initialize(&ldap, ldap_uri) != LDAP_SUCCESS ) { + exau_log( "ldap_init failed" ); + return EXT_AUTH_FAILED; + } else { + exau_log("Generated LDAP handle for uri %s.\n", ldap_uri); + } + + if (ldap_set_option(ldap, LDAP_OPT_TIMEOUT,&to) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + + if (ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT,&to) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + + if (ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + // This is AD bug, if password is blank it allows tp login + if (strlen(password) == 0) { + return EXT_AUTH_FAILED; + } + msgid = ldap_simple_bind_s(ldap, username, password); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAP login failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAP login successful for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + } + // authorization off then will not do authorization only authentication + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_OFF){ + exau_log("LDAP authorization off for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + ldap_unbind(ldap); + return ret_value; + } + //authorization block + char search_string[1024]; + if (strstr(username, "@")) { + sprintf(search_string,"\(\&\(userPrincipalName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } else { + sprintf(search_string,"\(\&\(sAMAccountName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } + + msgid = ldap_search_s(ldap, g_exauth_conf.exauth_servers[i].dn, LDAP_SCOPE_SUBTREE, search_string, + attrs, attrsonly, &answer); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAP search failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAP search successful for user %s.\n", username); + } + + /* Return the number of objects found during the search */ + entries_found = ldap_count_entries(ldap, answer); + if ( entries_found == 0 ) { + exau_log("LDAP authorization failed for user %s.\n", username); + ret_value = EXT_AUTH_PASS_ENABLE; // if authorization failed then not allow to do any change + } else { + ret_value = EXT_AUTH_PASS_CONFIG; + printf("LDAP authorization success for user %s.\n", username); + } + if (ret_value != EXT_AUTH_PASS_CONFIG) { + ret_value = EXT_AUTH_PASS_ENABLE; + } + + ldap_msgfree(answer); + ldap_unbind(ldap); + return ret_value; +} + /*authenticate with external radius server*/ /*To support ipv6 auth server, we modified the libradius library to support ipv6 too. This library can handle up to 10 auth servers in one auth request, when we originate Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -21,9 +21,11 @@ #define LINE_LEN 255 #define HOST_LEN 256 +#define DN_LEN 256 +#define MEMBEROF_LEN 256 #define SECRET_LEN 129 #define EXAUTH_DEF_METHOD "RADIUS" -#define MAX_EXAU_SERVER_NUM 2 +#define MAX_EXAU_SERVER_NUM 3 #define IP_PRESENTATION_LEN 100 /*ip presentation length*/ #define CLI_EXAUTH_ON "admin aaa on" @@ -38,9 +40,10 @@ #define EXAUTH_SERVER_ID1 "es01" #define EXAUTH_SERVER_ID2 "es02" - +#define EXAUTH_SERVER_ID3 "es03" #define EXAUTH_METHOD_STRING_RADIUS "RADIUS" #define EXAUTH_METHOD_STRING_TAC_X "TAC_X" +#define EXAUTH_METHOD_STRING_LDAP "LDAP" #define EXAUTH_METHOD_STRING_UNKONWN "UNKONWN METHOD" #define EXAUTH_PRIORITY_HIGH 1 @@ -49,7 +52,8 @@ /*authentication method table*/ typedef enum exau_method { METHOD_RADIUS, - METHOD_TAC_X + METHOD_TAC_X, + METHOD_LDAP } enum_exau_method; /*the structure for radius server*/ @@ -60,6 +64,8 @@ char secret[SECRET_LEN]; unsigned short timeout; unsigned short max_retry; + char dn[DN_LEN]; + char memberOf[MEMBEROF_LEN]; } exauth_server_t; /*the structure wrapper*/ @@ -68,7 +74,7 @@ int external_authorize_on; int ext_auth_priority; enum_exau_method exau_method; - exauth_server_t exauth_servers[2]; + exauth_server_t exauth_servers[3]; } exauth_conf_t; /*turn on external authentication*/ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -149,9 +149,13 @@ { g_exauth_conf.exau_method = METHOD_TAC_X; } + else if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAP) == 0) + { + g_exauth_conf.exau_method = METHOD_LDAP; + } else { - printf ("%s | %s\n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X); + printf ("%s | %s | %s \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP); } /*update conf to shared mem*/ @@ -160,9 +164,58 @@ return 0; } -/*configure an exauth server*/ +/*configure an exauth ldap server*/ +int +exauth_ldap_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) +{ + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + + if (id == NULL || host == NULL || dn == NULL || memberOf == NULL) + { + printf ("%s failed\n",CLI_EXAUTH_SERVER); + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + + /*invalid server id, should be "es01" or "es02"*/ + if (strcmp(id, EXAUTH_SERVER_ID3)) + { + printf ("%s \n", EXAUTH_SERVER_ID3); + return 0; + } + + /*assign id*/ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep,10) - 1; + + if (id_num == 2) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID3); + } + + /*assign host*/ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /*assign port*/ + g_exauth_conf.exauth_servers[id_num].port = port; + /*assign dn*/ + strncpy(g_exauth_conf.exauth_servers[id_num].dn, dn, DN_LEN); + + /*assign memberOf*/ + strncpy(g_exauth_conf.exauth_servers[id_num].memberOf, memberOf, MEMBEROF_LEN); + + g_exauth_conf.exauth_servers[id_num].max_retry = LDAP_DEF_RETRIES; + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} + +/*configure an exauth radius server*/ int -exauth_server(char *id, char *host, uint16_t port, char *secret, char *cipher_flag) +exauth_radius_server(char *id, char *host, uint16_t port, char *secret, char *cipher_flag) { int id_num = -1; char *str_num = NULL, *ep = NULL; @@ -252,9 +305,9 @@ return -1; } - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) { - printf ("%s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2); + printf ("%s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); return 0; } @@ -311,6 +364,9 @@ case METHOD_TAC_X: printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -322,13 +378,24 @@ { if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { - printf ("%s %s \"%s\" %d \"%s\"\n", - CLI_EXAUTH_SERVER, - g_exauth_conf.exauth_servers[i].id, - g_exauth_conf.exauth_servers[i].host, - g_exauth_conf.exauth_servers[i].port, - "*****" - ); + if (g_exauth_conf.exau_method == METHOD_LDAP) { + printf ("%s ldap %s \"%s\" %d \"%s\" \"%s\" \n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else { + printf ("%s radius %s \"%s\" %d \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + "*****" + ); + } } } @@ -412,6 +479,9 @@ case METHOD_TAC_X: buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_TAC_X); break; + case METHOD_LDAP: + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -423,15 +493,26 @@ { if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { - encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); - buf_offset += sprintf (conf_buf + buf_offset, "%s %s \"%s\" %d \"%s\" \"%s\"\n", - CLI_EXAUTH_SERVER, - g_exauth_conf.exauth_servers[i].id, - g_exauth_conf.exauth_servers[i].host, - g_exauth_conf.exauth_servers[i].port, - encrypted_secret, - AAA_SECRET_ENCRYPTED - ); + if (g_exauth_conf.exau_method == METHOD_LDAP) { + buf_offset += sprintf (conf_buf + buf_offset, "%s ldap %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else { + encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); + buf_offset += sprintf (conf_buf + buf_offset, "%s radius %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + encrypted_secret, + AAA_SECRET_ENCRYPTED + ); + } } } } Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (working copy) @@ -48710,14 +48710,23 @@ default_value => "\"RADIUS\"", },], }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, { - obj_type => "ITEM", - name => "server", - menu => "root_admin_aaa", - help_string => "Configure external authentication server", - cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", - user_level => "CLI_LEVEL_CONFIG", - function_name => "exauth_server", + obj_type => "ITEM", + name => "radius", + menu => "root_admin_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_radius_server", function_args => [{ type => "STRING", help_string => "id, es01 or es02(if server es01 is down, request will be sent to server es02)", @@ -48747,6 +48756,43 @@ }, ], }, + { + obj_type => "ITEM", + name => "ldap", + menu => "root_admin_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_ldap_server", + function_args => [{ + type => "STRING", + help_string => "id, es03(request will be sent to server es03)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "dn (Ex. OU=Eng,dc=example,dc=in)", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "memberOf (Ex. CN=Engineering,DC=example,DC=in)", + optional => "YES", + default_value => "\"\"", + }, + ], + }, { obj_type => "MENU", name => "authorize", Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (revision 38051) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (working copy) @@ -33,7 +33,7 @@ """, include_dirs=["../libexauth", "../libpyauth"], library_dirs=tmp_library_dirs, - libraries=["exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) + libraries=["ldap", "exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) if __name__ == "__main__": ffi.compile()