Re: [hylafax-users] Hylafax and ldap

To: gyvirag@xxxxxxxxxxxxxxxxx
Subject: Re: [hylafax-users] Hylafax and ldap
From: Marcin Giedz <marcin.giedz@xxxxxxxxxxxxxx>
Cc: hylafax-users@xxxxxxxxxxx
Date: Wed, 4 Aug 2004 13:47:08 +0200

hi,


First of all you need ldap development package 
-next you add patch: cd hylafax-xxxx; patch -p1 ../hylafax.-ldap.patch
-next configure hylafax: ./configure
-next change defs and config.h file according to hylafax-ldap.readme file
-next compile hylafax
-next copy ldap.conf to /var/spool/hylafax/etc/ and change according to your 
ldap server
-restart hylafax
-try telnet localhost 4559
scape character is '^]'.
220 localhost server (HylaFAX (tm) Version 4.2cvs-2004-08-04) ready.
user xxxx
331 Password required for xxxx.
pass aaaa
230 User xxxx logged in.

Marcin

diff -urN hylafax-org/hfaxd/HylaFAXServer.h hylafax-ldap/hfaxd/HylaFAXServer.h
--- hylafax-org/hfaxd/HylaFAXServer.h	2004-04-28 10:03:04.000000000 +0200
+++ hylafax-ldap/hfaxd/HylaFAXServer.h	2004-07-23 14:43:02.000000000 +0200
@@ -48,6 +48,25 @@
 }
 #endif // HAVE_PAM
 
+#ifdef HAVE_LDAP
+#include <ldap.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <lber.h>
+#include <iostream.h>
+#include <fstream.h>
+
+extern char sIP [ ];
+extern int iPort;
+extern int iLDAPVersion;
+extern char p_LDAP_Admin_Name [ ];
+extern char p_LDAP_Admin_Passwd [ ];
+extern char p_LDAP_Base [ ];
+int read_ldap_config(const char* pConfig, char* pIP, int* pPort, char* pAdminLogin, char* pAdminPassword, char* pBase, int* pVersion);
+#endif // HAVE_LDAP
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <dirent.h>
@@ -355,6 +374,8 @@
     bool userID(const char*, u_int& id);
     void fillIDCache(void);
 
+    bool ldapCheck(const char* user, const char* pass);
+
     bool cvtPasswd(const char* type, const char* pass, fxStr& result);
     bool findUser(FILE* db, const char* user, u_int& newuid);
     bool addUser(FILE* db, const char* user, u_int uid,
@@ -589,7 +610,7 @@
  * business seeing.  Also we implement an access
  * control system that is built on top of the
  * normal UNIX protection mechanisms.
- */ 
+ */
 struct SpoolDir {
     const char*	pathname;
     bool adminOnly;	// accessible by unprivileged clients
diff -urN hylafax-org/hfaxd/Login.c++ hylafax-ldap/hfaxd/Login.c++
--- hylafax-org/hfaxd/Login.c++	2004-04-28 10:03:04.000000000 +0200
+++ hylafax-ldap/hfaxd/Login.c++	2004-07-23 14:43:02.000000000 +0200
@@ -137,6 +137,105 @@
 	return(retval);
 }
 
+/**
+* ldapCheck
+* function checks if user with selected login and password exists in LDAP
+* param user [IN] - pointer to string containing user login
+* param pass [IN] - pointer to string containing user password
+* return true if user exists
+*/
+bool
+HylaFAXServer::ldapCheck( const char* user, const char* pass )
+{
+	bool retval = false;
+#ifdef HAVE_LDAP
+
+	int err;
+	char filter [ 255 ];
+	snprintf( filter, 255, "uid=%s", user );
+	char* pspass;
+	char spass[ 255 ];
+	LDAPMessage* pEntries;
+	LDAPMessage* pEntry;
+	char **p_arr_values;
+	char ldap_conf_file [ 1024 ];
+	LDAP* p_LDAPConn;
+
+	snprintf( ldap_conf_file, 1024, "%s/etc/ldap.conf", FAX_SPOOLDIR ); // create string with configuration file path name
+
+	err = read_ldap_config( ( const char* ) ldap_conf_file, sIP, &iPort, p_LDAP_Admin_Name, p_LDAP_Admin_Passwd, p_LDAP_Base, &iLDAPVersion );
+
+	if ( err == -1 )
+	{
+		reply( 530, "Configuration file not found" );
+		return false;
+	}
+	if ( err == -2 )
+	{
+		reply( 530, "Configuration file incomplete" );
+		return false;
+	}
+
+	p_LDAPConn = ldap_init( sIP, iPort );
+	if ( p_LDAPConn == NULL )
+	{
+		reply( 530, "Unable to connect to LDAP" );
+		return false;
+	}
+	err = ldap_set_option( p_LDAPConn, LDAP_OPT_PROTOCOL_VERSION, ( void * ) & iLDAPVersion );
+	if ( err != LDAP_SUCCESS )
+	{
+		reply( 530, "Set Option LDAP error %d: %s", err, ldap_err2string( err ) );
+		ldap_unbind_s( p_LDAPConn );
+		return false;
+	}
+
+	err = ldap_simple_bind_s( p_LDAPConn, p_LDAP_Admin_Name, p_LDAP_Admin_Passwd );
+	if ( err != LDAP_SUCCESS )
+	{
+		reply( 530, "Bind LDAP error %d: %s", err, ldap_err2string( err ) );
+		ldap_unbind_s( p_LDAPConn );
+		return false;
+	}
+
+	err = ldap_search_s( p_LDAPConn, p_LDAP_Base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &pEntries );
+	if ( err != LDAP_SUCCESS )
+	{
+		reply( 530, "Search LDAP error %d: %s", err, ldap_err2string( err ) );
+		ldap_unbind_s( p_LDAPConn );
+		return false;
+	}
+	pEntry = ldap_first_entry( p_LDAPConn, pEntries );
+	if ( pEntry == NULL )
+	{
+		reply( 530, "LDAP user not found" );
+		ldap_unbind_s( p_LDAPConn );
+		return false;
+	}
+
+	p_arr_values = ldap_get_values( p_LDAPConn, pEntry, "userPassword" );
+	if ( p_arr_values == NULL )
+	{
+		reply( 530, "LDAP attribute userPassword not found" );
+		ldap_unbind_s( p_LDAPConn );
+		return false;
+	}
+
+	strcpy( spass, p_arr_values[ 0 ] );
+	ldap_value_free( p_arr_values );
+	ldap_unbind_s( p_LDAPConn );
+
+	pspass = spass;
+
+	if ( strncmp( spass, "{crypt}", 7 ) == 0 )
+		pspass += 7;
+
+	retval = ( strcmp( crypt( pass, pspass ), pspass ) == 0 );
+#endif //HAVE_LDAP
+
+	return retval;
+}
+
 bool
 HylaFAXServer::pamCheck(const char* user, const char* pass)
 {
@@ -196,7 +295,11 @@
 	pass++;
     } else
 	state |= S_LREPLIES;
+#ifdef HAVE_LDAP
+    if (pass[0] == '\0' || !(ldapCheck(the_user, pass))) {
+#else
     if (pass[0] == '\0' || !(strcmp(crypt(pass, passwd), passwd) == 0 || pamCheck(the_user, pass))) {
+#endif
 	if (++loginAttempts >= maxLoginAttempts) {
 	    reply(530, "Login incorrect (closing connection).");
 	    logNotice("Repeated login failures for user %s from %s [%s]"
@@ -332,3 +435,5 @@
 	Sys::unlink(clientFIFOName);
     _exit(status);		// beware of flushing buffers after a SIGPIPE
 }
+
+
diff -urN hylafax-org/hfaxd/User.c++ hylafax-ldap/hfaxd/User.c++
--- hylafax-org/hfaxd/User.c++	2004-04-28 10:03:04.000000000 +0200
+++ hylafax-ldap/hfaxd/User.c++	2004-07-23 14:43:02.000000000 +0200
@@ -49,6 +49,177 @@
 gid_t	HylaFAXServer::faxuid = 0;		// reserved fax uid
 #define	FAXUID_RESV	HylaFAXServer::faxuid	// reserved fax uid
 
+#ifdef HAVE_LDAP
+char sIP [ 16 ];
+int iPort;
+int iLDAPVersion;
+char p_LDAP_Admin_Name [ 255 ];
+char p_LDAP_Admin_Passwd [ 255 ];
+char p_LDAP_Base [ 1024 ];
+#endif // HAVE_LDAP
+
+
+#ifdef HAVE_LDAP
+/**
+* read_ldap_config
+* param pConfig [IN] points to configuration file name
+* param pIP [OUT] (attribute "LDAPServerIP") points to buffer which will receive LDAP Server IP (buffer must be large enough - there isn't any overrun protection)
+* param pPort [OUT] (attribute "LDAPServerPort") points to variable which will receive LDAP Server port
+* param pAdminLogin [OUT] (attribute "LDAPAdminName") points to buffer which will receive LDAP Server Admin Login (buffer must be large enough - there isn't any overrun protection)
+* param pAdminPassword [OUT] (attribute "LDAPAdminPasswd") points to buffer which will receive LDAP Server Admin Password (buffer must be large enough - there isn't any overrun protection)
+* param pBase [OUT] (attribute "LDAPBase") points to buffer which will receive LDAP Server Base Node Value (buffer must be large enough - there isn't any overrun protection)
+* param pVersion [OUT] (attribute "LDAPVersion") points to variable which will receive LDAP Server Version to set
+* return 0 - no error occured
+* return -1 - configuration file missing / not found / unable to open
+* return -2 - at least one of output values were not found in configuration file and not set
+* configuration line format: <attribute>':'[' ' | '\t']<value>
+*/
+int read_ldap_config(const char* pConfig, char* pIP, int* pPort, char* pAdminLogin, char* pAdminPassword, char* pBase, int* pVersion)
+{
+    static bool bRead = false;
+    if (bRead)
+	return 0;
+
+    int retval;
+    int cnt = 0;
+    char line [ 1024 ];
+    char* pA, *pB;
+    bool fTrim;
+
+    uid_t ouid = geteuid();
+    seteuid( 0 );
+
+    FILE* stream = fopen((char*) pConfig, "r"); // open configuration file
+
+    int err = errno;
+    seteuid(ouid);
+
+    if (stream == NULL) {
+	return -1;
+    }
+
+    // Parse configuration file
+    while (!feof(stream)) {
+	if (fgets(line, sizeof(line), stream) == NULL)
+	    break;
+
+	fTrim = false;
+	pA = (char*) line;
+	if ( line[strlen(line)-1] == '\n')
+	    line[strlen(line)-1] = 0;
+
+	int len = strlen(line);
+	for (int i = 0; i < len; i++) {
+	    if (fTrim) {
+		if (line[i] == ' ' || line[i] == '\t') {
+		    line[ i ] = 0;
+		    pB = ((char*) line)+i+1;
+		} else
+    		    break;
+    	    }
+	    if (line[i] == ':') {
+		line[i] = 0;
+		fTrim = true;
+		pB = ((char*) line)+i+1;
+	    }
+	}
+	
+        if (strcmp(pA,"LDAPServerIP") == 0) {
+    	    strcpy(pIP, pB);
+	    cnt++;
+	}
+	if (strcmp(pA, "LDAPServerPort") == 0) {
+	    *pPort = atoi(pB);
+	    cnt++;
+	}
+	if (strcmp(pA, "LDAPAdminName") == 0) {
+	    strcpy(pAdminLogin, pB);
+	    cnt++;
+	}
+	if (strcmp(pA, "LDAPAdminPasswd") == 0) {
+	    strcpy(pAdminPassword, pB);
+	    cnt++;
+	}
+	if (strcmp(pA, "LDAPBase") == 0) {
+	    strcpy(pBase, pB);
+	    cnt++;
+	}
+	if (strcmp(pA, "LDAPVersion") == 0) {
+	    *pVersion = atoi( pB );
+	    cnt++;
+	}
+    }
+
+    fclose(stream); // close configuration file
+
+    // end of parsing configuration file
+    if (cnt != 6)
+	return -2;
+
+    bRead = true;
+    return 0;
+}
+#endif // HAVE_LDAP
+
+
+#ifdef HAVE_LDAP
+bool
+HylaFAXServer::checkUser(const char* name)
+{
+    int err;
+    LDAP* p_LDAPConn;
+    char filter [255];
+    
+    snprintf(filter, 255, "uid=%s", name);
+    
+    char* pspass;
+    char spass[255];
+    LDAPMessage* pEntries;
+    bool retval;
+
+    char ldap_conf_file [1024];
+    snprintf(ldap_conf_file, 1024, "%s/etc/ldap.conf", FAX_SPOOLDIR); // create string with configuration file path name
+
+    err = read_ldap_config((const char*) ldap_conf_file, sIP, &iPort, p_LDAP_Admin_Name, p_LDAP_Admin_Passwd, p_LDAP_Base, &iLDAPVersion);
+    if (err == -1) {
+	reply(530, "Configuration file not found");
+	return false;
+    }
+    if (err == -2) {
+	reply(530, "Configuration file incomplete");
+	return false;
+    }
+
+    p_LDAPConn = ldap_init(sIP, iPort);
+    if (p_LDAPConn == NULL) {
+	reply(530, "Unable to connect to LDAP");
+	return false;
+    }
+    err = ldap_set_option(p_LDAPConn, LDAP_OPT_PROTOCOL_VERSION, (void *) & iLDAPVersion);
+    if (err != LDAP_SUCCESS) {
+	reply(530, "Set Option LDAP error %d: %s", err, ldap_err2string(err));
+	ldap_unbind_s(p_LDAPConn);
+	return false;
+    }
+    err = ldap_simple_bind_s(p_LDAPConn, p_LDAP_Admin_Name, p_LDAP_Admin_Passwd);
+    if (err != LDAP_SUCCESS) {
+	reply(530, "Bind LDAP error %d: %s", err, ldap_err2string(err));
+	ldap_unbind_s(p_LDAPConn);
+	return false;
+    }
+    err = ldap_search_s(p_LDAPConn, p_LDAP_Base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &pEntries);
+    if (err != LDAP_SUCCESS) {
+	reply(530, "Search LDAP error %d: %s", err, ldap_err2string(err));
+	ldap_unbind_s(p_LDAPConn);
+	return false;
+    }
+    retval = (ldap_first_entry(p_LDAPConn, pEntries) != NULL);
+    ldap_unbind_s(p_LDAPConn);
+
+    return retval;
+}
+#else // HAVE_LDAP is not defined
+// previous (original) checkUser function version used by non-LDAP authentication
 bool
 HylaFAXServer::checkUser(const char* name)
 {
@@ -62,6 +233,7 @@
 	    (const char*) userAccessFile, strerror(errno));
     return (check);
 }
+#endif // HAVE_LDAP
 
 static bool
 nextRecord(FILE* db, char line[], u_int size)

1) add #define HAVE_LDAP 1 in config.h
2) add -lldap -llber -lresolv in defs in LDFLAGS....

LDAPServerIP:           192.xxxxxx
LDAPServerPort:         389
LDAPAdminName:          cn=ldapmanager,dc=eulerhermes,dc=pl
LDAPAdminPasswd:        text_password
LDAPBase:               ou=xxx,dc=example,dc=com
LDAPVersion:            3

Prev by Date: Re: [hylafax-users] Hylafax and ldap
Next by Date: Re: [hylafax-users] MT-5634ZPX-PCI-U 1.32i firmware
Previous by thread: Re: [hylafax-users] Hylafax and ldap
Next by thread: [hylafax-users] hylafax and relayfax, a problem whit first page
Index(es):
- Main
- Thread

Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services