Index: /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile (working copy) @@ -165,7 +165,7 @@ -lnfnetlink -lnetfilter_conntrack \ -lpciaccess \ -lpam -lpam_misc \ - -lcrypt -lldap -llber -lkvm -lfetch -lmemstat -lutil -lradius -ltacplus -lgeom -lstdc++ -rdynamic + -lcrypt -lldap -llber -lssl -lcrypto -lkvm -lfetch -lmemstat -lutil -lradius -ltacplus -lgeom -lstdc++ -rdynamic BINMODE=4555 Index: /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (working copy) @@ -796,7 +796,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lssl -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog + +synconfigd$(EXEEXT): sshd$(EXEEXT) + /bin/cp sshd$(EXEEXT) $@ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (working copy) @@ -13,6 +13,6 @@ .endif LDADD=-L${.OBJDIR}/../../lib/libbsd -lbsd \ - -lmd -lcrypt -lcrypto -lpthread -lldap -llber -lhiredis -lutil + -lmd -lcrypt -lcrypto -lpthread -lldap -llber -lssl -lcrypto -lhiredis -lutil .include Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.h (working copy) @@ -30,6 +30,8 @@ #define EXT_AUTH_OFF 0 #define EXT_AUTH_ON 1 +#define EXT_SKIPVERIFY_ON 1 +#define EXT_SKIPVERIFY_OFF 0 #define EXT_AUTH_PASS_ENABLE 2 #define EXT_AUTH_PASS_CONFIG 3 #define EXT_AUTH_REJECT 4 Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (working copy) @@ -33,6 +33,9 @@ #include #include #include +#include +#include + #include "auth_ext.h" #include "auth_ext_cli.h" #include "auth_ext_ipc.h" @@ -43,6 +46,9 @@ #define ARRAY_RADIUS_ID 7564 +#define LDAPS_CLIENT_CERT_FILE "/var/run/ldaps_client_cert.pem" +#define LDAPS_CLIENT_KEY_FILE "/var/run/ldaps_client_key.pem" +#define LDAPS_ROOTCA_FILE "/var/run/ldaps_root_cert.pem" /*if really do external authentication*/ int do_exauth = 0; @@ -85,6 +91,10 @@ sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAP); } + if (g_exauth_conf.exau_method == METHOD_LDAPS) { + sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAPS); + } + return 0; } @@ -179,6 +189,10 @@ return external_auth_ldap(username, password); break; + case METHOD_LDAPS: + return external_auth_ldaps(username, password); + break; + default: exau_log("external_auth: no authenticaion method found"); return EXT_AUTH_FAILED; @@ -190,6 +204,156 @@ } int +external_auth_ldaps(char *username, char *password) +{ + /*the return value of ldap response type*/ + int ret_value = EXT_AUTH_FAILED; + int i; + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + /*authenticate ldaps servers*/ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && + g_exauth_conf.exauth_servers[i].id[0] != '\0') { + ret_value = external_auth_one_ldaps(i, username, password); + if ((ret_value == EXT_AUTH_PASS_CONFIG) || + (ret_value == EXT_AUTH_PASS_ENABLE)) { + break; + } + } + } + return ret_value; +} + +int +external_auth_one_ldaps(int server_num, char *username, char *password) +{ + LDAP *ld; + struct timeval to; + int msgid = 0; + to.tv_sec = 600; + to.tv_usec = 0; + int ret_value = EXT_AUTH_FAILED; + int i = server_num; + LDAPMessage *answer, *entry; + char *attrs[] = {"memberOf", NULL}; + int attrsonly = 0; + int entries_found = 0; + int rc; + + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + // Add certificate verification part here + + char ldap_uri[1024]; + + sprintf(ldap_uri,"ldaps://%s:%d",g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + // Initialize OpenSSL + SSL_library_init(); + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); + exau_log(" ldap_uri %s\n", ldap_uri); + // Initialize LDAP connection + rc = ldap_initialize(&ld, ldap_uri); + if (rc != LDAP_SUCCESS) { + exau_log("ldap_initialize failed: %s\n", ldap_err2string(rc)); + return 1; + } + + // Set LDAP options + int version = LDAP_VERSION3; + ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + if (g_exauth_conf.exauth_servers[i].insecureSkipVerify) { + exau_log("Skip certificate verification\n"); + // Skip certificate verification + int opt = LDAP_OPT_X_TLS_NEVER; + ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt); + } else { + exau_log("Enable certificate verification\n"); + // Load client certificate and key + rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, LDAPS_CLIENT_CERT_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set client certificate: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return 1; + } + rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, LDAPS_CLIENT_KEY_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set client key: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return 1; + } + // Load CA certificate + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, LDAPS_ROOTCA_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set CA certificate: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return 1; + } + } + + // This is AD bug, if password is blank it allows tp login + if (strlen(password) == 0) { + return EXT_AUTH_FAILED; + } + msgid = ldap_simple_bind_s(ld, username, password); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAPS login failed for user %s password %s.\n", username, password); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAPS login successful for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + } + + // authorization off then will not do authorization only authentication + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_OFF){ + exau_log("LDAPS authorization off for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + ldap_unbind(ld); + return ret_value; + } + //authorization block + char search_string[1024]; + if (strstr(username, "@")) { + sprintf(search_string,"\(\&\(userPrincipalName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } else { + sprintf(search_string,"\(\&\(sAMAccountName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } + msgid = ldap_search_s(ld, g_exauth_conf.exauth_servers[i].dn, LDAP_SCOPE_SUBTREE, search_string, + attrs, attrsonly, &answer); + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAPS search failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAPS search successful for user %s.\n", username); + } + + /* Return the number of objects found during the search */ + entries_found = ldap_count_entries(ld, answer); + if ( entries_found == 0 ) { + exau_log("LDAPS authorization failed for user %s.\n", username); + ret_value = EXT_AUTH_PASS_ENABLE; // if authorization failed then not allow to do any change + } else { + ret_value = EXT_AUTH_PASS_CONFIG; + exau_log("LDAPS authorization success for user %s.\n", username); + } + if (ret_value != EXT_AUTH_PASS_CONFIG) { + ret_value = EXT_AUTH_PASS_ENABLE; + } + ldap_msgfree(answer); + ldap_unbind(ld); + ERR_free_strings(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + return ret_value; +} + +int external_auth_ldap(char *username, char *password) { /*the return value of ldap response type*/ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -23,9 +23,10 @@ #define HOST_LEN 256 #define DN_LEN 256 #define MEMBEROF_LEN 256 +#define CERT_LEN 2048 #define SECRET_LEN 129 #define EXAUTH_DEF_METHOD "RADIUS" -#define MAX_EXAU_SERVER_NUM 3 +#define MAX_EXAU_SERVER_NUM 4 #define IP_PRESENTATION_LEN 100 /*ip presentation length*/ #define CLI_EXAUTH_ON "admin aaa on" @@ -34,6 +35,7 @@ #define CLI_EXAUTH_SERVER "admin aaa server" #define CLI_EXAUTHORIZE_ON "admin aaa authorize on" #define CLI_EXAUTHORIZE_OFF "admin aaa authorize off" +#define CLI_LDAPS_SKIPVERIFY "admin aaa server ldaps skipverify" #define CLI_SHOW_EXAUTH_ALL "show admin aaa all" #define CLI_NO_EXAUTH_SERVER "no admin aaa server" #define CLI_CLEAR_EXAUTH_ALL "clear admin aaa all" @@ -41,9 +43,11 @@ #define EXAUTH_SERVER_ID1 "es01" #define EXAUTH_SERVER_ID2 "es02" #define EXAUTH_SERVER_ID3 "es03" +#define EXAUTH_SERVER_ID4 "es04" #define EXAUTH_METHOD_STRING_RADIUS "RADIUS" #define EXAUTH_METHOD_STRING_TAC_X "TAC_X" #define EXAUTH_METHOD_STRING_LDAP "LDAP" +#define EXAUTH_METHOD_STRING_LDAPS "LDAPS" #define EXAUTH_METHOD_STRING_UNKONWN "UNKONWN METHOD" #define EXAUTH_PRIORITY_HIGH 1 @@ -53,10 +57,15 @@ typedef enum exau_method { METHOD_RADIUS, METHOD_TAC_X, - METHOD_LDAP + METHOD_LDAP, + METHOD_LDAPS } enum_exau_method; -/*the structure for radius server*/ +#define false 0 +#define true 1 +typedef int bool; + +/*the structure for servenl authentication server*/ typedef struct exauth_server { char id[5]; char host[HOST_LEN]; @@ -66,6 +75,7 @@ unsigned short max_retry; char dn[DN_LEN]; char memberOf[MEMBEROF_LEN]; + bool insecureSkipVerify; } exauth_server_t; /*the structure wrapper*/ @@ -74,7 +84,7 @@ int external_authorize_on; int ext_auth_priority; enum_exau_method exau_method; - exauth_server_t exauth_servers[3]; + exauth_server_t exauth_servers[4]; } exauth_conf_t; /*turn on external authentication*/ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -153,9 +153,13 @@ { g_exauth_conf.exau_method = METHOD_LDAP; } + else if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAPS) == 0) + { + g_exauth_conf.exau_method = METHOD_LDAPS; + } else { - printf ("%s | %s | %s \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP); + printf ("%s | %s | %s | %S \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP, EXAUTH_METHOD_STRING_LDAPS); } /*update conf to shared mem*/ @@ -164,6 +168,64 @@ return 0; } +/*configure an exauth ldaps server*/ +int +exauth_ldaps_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) +{ + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + + if (id == NULL || host == NULL || dn == NULL || memberOf == NULL) + { + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + /*invalid server id, should be "es01" or "es02"*/ + if (strcmp(id, EXAUTH_SERVER_ID4)) + { + printf ("%s \n", EXAUTH_SERVER_ID4); + return 0; + } + + /*assign id*/ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep,10) - 1; + + if (id_num == 3) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID4); + } + + /*assign host*/ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /*assign port*/ + g_exauth_conf.exauth_servers[id_num].port = port; + /*assign dn*/ + strncpy(g_exauth_conf.exauth_servers[id_num].dn, dn, DN_LEN); + + /*assign memberOf*/ + strncpy(g_exauth_conf.exauth_servers[id_num].memberOf, memberOf, MEMBEROF_LEN); + + g_exauth_conf.exauth_servers[id_num].max_retry = LDAP_DEF_RETRIES; + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} + +/*configure disble certificate verification for ldaps*/ +int +ldaps_certificate_skipverify(int flag) +{ + get_auth_conf(&shm_p, &g_exauth_conf); + g_exauth_conf.exauth_servers[3].insecureSkipVerify = flag; + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + /*configure an exauth ldap server*/ int exauth_ldap_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) @@ -305,9 +367,9 @@ return -1; } - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3), strcmp(id, EXAUTH_SERVER_ID4)) { - printf ("%s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); + printf ("%s | %s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3, EXAUTH_SERVER_ID4); return 0; } @@ -367,6 +429,10 @@ case METHOD_LDAP: printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); break; + case METHOD_LDAPS: + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAPS); + printf("%s %d\n", CLI_LDAPS_SKIPVERIFY, g_exauth_conf.exauth_servers[i].insecureSkipVerify); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -387,6 +453,16 @@ g_exauth_conf.exauth_servers[i].dn, g_exauth_conf.exauth_servers[i].memberOf ); + } else if (g_exauth_conf.exau_method == METHOD_LDAPS) { + printf ("%s ldaps property %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else { printf ("%s radius %s \"%s\" %d \"%s\"\n", CLI_EXAUTH_SERVER, @@ -423,7 +499,7 @@ { /*write buffer*/ char *conf_buf = NULL; - + printf("%s %d\n", __FUNCTION__, __LINE__); /*buffer offset*/ int buf_offset = 0; int i; @@ -443,14 +519,14 @@ * * each cmd line can have maximum LINE_LEN characters */ - conf_buf = (char *)malloc(LINE_LEN * 5); + conf_buf = (char *)malloc(LINE_LEN * 6); if (conf_buf == NULL) { printf("Could not save the admin aaa configuration.\n"); return NULL; } - memset (conf_buf, 0, LINE_LEN * 4); + memset (conf_buf, 0, LINE_LEN * 6); /*show admin aaa on |off*/ if (g_exauth_conf.external_auth_on == EXT_AUTH_ON) @@ -482,6 +558,12 @@ case METHOD_LDAP: buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); break; + case METHOD_LDAPS: + printf("%s %d\n", __FUNCTION__, __LINE__); + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAPS); + buf_offset += sprintf(conf_buf + buf_offset,"%s %d\n", CLI_LDAPS_SKIPVERIFY, + g_exauth_conf.exauth_servers[i].insecureSkipVerify); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -491,6 +573,7 @@ /*show admin aaa server*/ for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + printf("%s %d\n", __FUNCTION__, __LINE__); if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { if (g_exauth_conf.exau_method == METHOD_LDAP) { @@ -502,6 +585,17 @@ g_exauth_conf.exauth_servers[i].dn, g_exauth_conf.exauth_servers[i].memberOf ); + } else if (g_exauth_conf.exau_method == METHOD_LDAPS) { + buf_offset += sprintf (conf_buf + buf_offset, "%s ldaps property %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + printf("%s %d \n", __FUNCTION__, __LINE__); + } else { encrypt_secret((unsigned char *)(g_exauth_conf.exauth_servers[i].secret), encrypted_secret); buf_offset += sprintf (conf_buf + buf_offset, "%s radius %s \"%s\" %d \"%s\" \"%s\"\n", @@ -516,5 +610,6 @@ } } } + printf("%s %d %s\n", __FUNCTION__, __LINE__, conf_buf); return conf_buf; } Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_ipc.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_ipc.c (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_ipc.c (working copy) @@ -185,6 +185,7 @@ { if (exauth_init_ipc(shm_p_p) < 0) { + printf ("set_auth_conf: failed\n"); return -1; } } Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (working copy) @@ -48705,7 +48705,7 @@ function_name => "exauth_method", function_args => [{ type => "STRING", - help_string => "method name(RADIUS or TAC_X or LDAP, default is RADIUS)", + help_string => "method name(RADIUS or TAC_X or LDAP or LDAPS , default is RADIUS)", optional => "YES", default_value => "\"RADIUS\"", },], @@ -48793,6 +48793,123 @@ }, ], }, + { + obj_type => "MENU", + name => "ldaps", + parent_menu => "root_admin_server_aaa", + uniq_name => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, + { + obj_type => "ITEM", + name => "property", + menu => "root_admin_ldaps_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_ldaps_server", + function_args => [{ + type => "STRING", + help_string => "id, es04(request will be sent to server es04)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "dn (Ex. OU=Eng,dc=example,dc=in)", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "memberOf (Ex. CN=Engineering,DC=example,DC=in)", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "skipverify", + menu => "root_admin_ldaps_server_aaa", + help_string => "Turn off certificate verification", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "ldaps_certificate_skipverify", + function_args => [ + { + type => "U32", + help_string => "Set 1 for skip certificate verification.(Default = 0)", + optional => "YES", + default_value => 0, + }, + ], + }, + { + obj_type => "ITEM", + name => "clientcert", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import PEM client certificate", + function_name => "exauth_ldaps_server_client_cert", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "clientkey", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import PEM client key", + function_name => "exauth_ldaps_server_client_key", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "rootca", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import CA certificate used for client authentication", + function_name => "exauth_ldaps_server_client_rootca", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, { obj_type => "MENU", name => "authorize", Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (working copy) @@ -33,7 +33,7 @@ """, include_dirs=["../libexauth", "../libpyauth"], library_dirs=tmp_library_dirs, - libraries=["ldap", "exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) + libraries=["ldap", "lber", "exauth", "fastlog", "bsd", "ssl", "crypto", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) if __name__ == "__main__": ffi.compile() Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libwebui/webui.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libwebui/webui.c (revision 38350) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libwebui/webui.c (working copy) @@ -1991,8 +1991,188 @@ } return 0; } +// LDAPS +ca_errcode_t +exauth_ldaps_server_client_cert(char* url) +{ + ca_errcode_t errcode = ERR_WEBUI_OK; + int certfd; + char * tmp_crtfile = "/var/run/ldaps_client_cert.pem.bc"; + char * cert_crtfile = "/var/run/ldaps_client_cert.pem"; + + if (file_exists(cert_crtfile) && cli_need_challenge()) { + char agree[5]; + + printf("You may overwrite an existing certificate.\nType YES to continue, NO to abort: "); + fflush(stdout); + bzero(agree,5); + if(read(STDIN_FILENO,agree,4) <= 0) + return ERR_WEBUI_USER_ABORT; + /* user did not agree to cert overwrite */ + if (strncmp(agree,"YES\n",4) != 0) { + printf("Aborted certificate import\n"); + /* read and ignore anymore input from */ + do{ + }while(strchr(agree, '\n') == NULL && !(getchar() == '\n')); + return ERR_WEBUI_USER_ABORT; + } + } + if (url == NULL || strlen(url) == 0) { + certfd = open(tmp_crtfile, O_WRONLY|O_CREAT|O_TRUNC, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if ( certfd < 0 ){ + printf ("Error saving certificate file\n"); + return ERR_WEBUI_INVALID_ARG; + } + /* imput from console */ + printf("Please enter the SSL certificate in PEM format. \nUse ellipsis (...) in the final line to finish the input.\n"); + fflush(stdout); + + ssl_import_via_stdin(certfd); + close(certfd); + } else { + if (import_file(url, tmp_crtfile) != SUCCESS) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } + } +#if 0 + if (check_format(tmp_crtfile, WEBUI_SSL_TYPE_CERT, APP_WEBUI) != 0) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } +#endif + unlink(cert_crtfile); + rename(tmp_crtfile, cert_crtfile); + unlink(tmp_crtfile); + if (webui_need_reload_conf()) { + stop_in_sysmon(WEBUI_NEW_ON_EXE); + start_in_sysmon(WEBUI_NEW_ON_EXE, WEBUI_NEW_PID_FILE, 1); + } + printf("WebUI Client certificate import successful!\n"); + return errcode; +} +ca_errcode_t +exauth_ldaps_server_client_rootca(char* url) +{ + ca_errcode_t errcode = ERR_WEBUI_OK; + int certfd; + char * tmp_crtfile = "/var/run/ldaps_root_cert.pem.bc"; + char * cert_crtfile = "/var/run/ldaps_root_cert.pem"; + + if (file_exists(cert_crtfile) && cli_need_challenge()) { + char agree[5]; + printf("You may overwrite an existing certificate.\nType YES to continue, NO to abort: "); + fflush(stdout); + bzero(agree,5); + if(read(STDIN_FILENO,agree,4) <= 0) + return ERR_WEBUI_USER_ABORT; + /* user did not agree to cert overwrite */ + if (strncmp(agree,"YES\n",4) != 0) { + printf("Aborted certificate import\n"); + /* read and ignore anymore input from */ + do{ + }while(strchr(agree, '\n') == NULL && !(getchar() == '\n')); + return ERR_WEBUI_USER_ABORT; + } + } + if (url == NULL || strlen(url) == 0) { + certfd = open(tmp_crtfile, O_WRONLY|O_CREAT|O_TRUNC, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if ( certfd < 0 ){ + printf ("Error saving certificate file\n"); + return ERR_WEBUI_INVALID_ARG; + } + /* imput from console */ + printf("Please enter the WebUI SSL certificate in PEM format. \nUse ellipsis (...) in the final line to finish the input.\n"); + fflush(stdout); + ssl_import_via_stdin(certfd); + close(certfd); + } else { + if (import_file(url, tmp_crtfile) != SUCCESS) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } + } +#if 0 + if (check_format(tmp_crtfile, WEBUI_SSL_TYPE_CERT, APP_WEBUI) != 0) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } +#endif + unlink(cert_crtfile); + rename(tmp_crtfile, cert_crtfile); + unlink(tmp_crtfile); + if (webui_need_reload_conf()) { + stop_in_sysmon(WEBUI_NEW_ON_EXE); + start_in_sysmon(WEBUI_NEW_ON_EXE, WEBUI_NEW_PID_FILE, 1); + } + printf("WebUI Client certificate import successful!\n"); + return errcode; +} + +ca_errcode_t +exauth_ldaps_server_client_key(char* url) +{ + ca_errcode_t errcode = ERR_WEBUI_OK; + int certfd; + char * tmp_crtfile = "/var/run/ldaps_client_key.pem.bc"; + char * cert_crtfile = "/var/run/ldaps_client_key.pem"; + + if (file_exists(cert_crtfile) && cli_need_challenge()) { + char agree[5]; + + printf("You may overwrite an existing certificate.\nType YES to continue, NO to abort: "); + fflush(stdout); + bzero(agree,5); + if(read(STDIN_FILENO,agree,4) <= 0) + return ERR_WEBUI_USER_ABORT; + /* user did not agree to cert overwrite */ + if (strncmp(agree,"YES\n",4) != 0) { + printf("Aborted certificate import\n"); + /* read and ignore anymore input from */ + do{ + }while(strchr(agree, '\n') == NULL && !(getchar() == '\n')); + return ERR_WEBUI_USER_ABORT; + } + } + if (url == NULL || strlen(url) == 0) { + certfd = open(tmp_crtfile, O_WRONLY|O_CREAT|O_TRUNC, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if ( certfd < 0 ){ + printf ("Error saving certificate file\n"); + return ERR_WEBUI_INVALID_ARG; + } + /* imput from console */ + printf("Please enter the WebUI SSL certificate in PEM format. \nUse ellipsis (...) in the final line to finish the input.\n"); + fflush(stdout); + + ssl_import_via_stdin(certfd); + close(certfd); + } else { + if (import_file(url, tmp_crtfile) != SUCCESS) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } + } +#if 0 + if (check_format(tmp_crtfile, WEBUI_SSL_TYPE_CERT, APP_WEBUI) != 0) { + unlink(tmp_crtfile); + return ERR_WEBUI_INVALID_ARG; + } +#endif + unlink(cert_crtfile); + rename(tmp_crtfile, cert_crtfile); + unlink(tmp_crtfile); + if (webui_need_reload_conf()) { + stop_in_sysmon(WEBUI_NEW_ON_EXE); + start_in_sysmon(WEBUI_NEW_ON_EXE, WEBUI_NEW_PID_FILE, 1); + } + printf("WebUI Client certificate import successful!\n"); + return errcode; +} ca_errcode_t webui_ssl_import_certificate(char *url) {