[Ipsec-tools-commits] ipsec-tools/src/racoon cfparse.y, 1.60, 1.61 cftoken.l, 1.48, 1.49 isakmp_cfg.c, 1.50, 1.51 isakmp_cfg.h, 1.17, 1.18 isakmp_xauth.c, 1.34, 1.35 isakmp_xauth.h, 1.10, 1.11 racoon.conf.5, 1.49, 1.50

[Emmanuel D. <ma...@us...>]

Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon
In directory sc8-pr-cvs2.sourceforge.net:/tmp/cvs-serv2903/src/racoon

Modified Files:
	cfparse.y cftoken.l isakmp_cfg.c isakmp_cfg.h isakmp_xauth.c 
	isakmp_xauth.h racoon.conf.5 
Log Message:
>From Matthew Grooms <mg...@sh...>: get mode config from LDAP


Index: isakmp_cfg.h
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_cfg.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- isakmp_cfg.h	20 Jun 2006 20:31:33 -0000	1.17
+++ isakmp_cfg.h	24 Jun 2006 07:40:23 -0000	1.18
@@ -122,6 +122,7 @@
 /* For confsource */
 #define ISAKMP_CFG_CONF_LOCAL	0
 #define ISAKMP_CFG_CONF_RADIUS	1
+#define ISAKMP_CFG_CONF_LDAP	2
 
 /* For accounting */
 #define ISAKMP_CFG_ACCT_NONE	0
@@ -171,8 +172,8 @@
 #define ISAKMP_CFG_VENDORID_XAUTH	0x01	/* Supports Xauth */
 #define ISAKMP_CFG_VENDORID_UNITY	0x02	/* Cisco Unity compliant */
 #define ISAKMP_CFG_PORT_ALLOCATED	0x04	/* Port allocated */
-#define ISAKMP_CFG_ADDR4_RADIUS		0x08	/* Address from RADIUS  */
-#define ISAKMP_CFG_MASK4_RADIUS		0x10	/* Netmask from RADIUS */
+#define ISAKMP_CFG_ADDR4_EXTERN		0x08	/* Address from external config  */
+#define ISAKMP_CFG_MASK4_EXTERN		0x10	/* Netmask from external config */
 #define ISAKMP_CFG_ADDR4_LOCAL		0x20	/* Address from local pool */
 #define ISAKMP_CFG_MASK4_LOCAL		0x40	/* Netmask from local pool */
 #define ISAKMP_CFG_GOT_ADDR4		0x80	/* Client got address */

Index: isakmp_xauth.h
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_xauth.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- isakmp_xauth.h	20 Jun 2006 20:31:33 -0000	1.10
+++ isakmp_xauth.h	24 Jun 2006 07:40:24 -0000	1.11
@@ -116,6 +116,12 @@
 #endif
 
 #ifdef HAVE_LIBLDAP
+
+#define LDAP_DFLT_HOST		"localhost"
+#define LDAP_DFLT_USER		"cn"
+#define LDAP_DFLT_ADDR		"racoon-address"
+#define LDAP_DFLT_MASK		"racoon-netmask"
+
 struct xauth_ldap_config {
 	int		pver;
 	vchar_t 	*host;
@@ -126,12 +132,14 @@
 	vchar_t		*bind_pw;
 	int		auth_type;
 	vchar_t		*attr_user;
+	vchar_t		*attr_addr;
+	vchar_t		*attr_mask;
 };
 
 extern struct xauth_ldap_config xauth_ldap_config;
 
 int xauth_ldap_init(void);
-int xauth_login_ldap(char *, char *);
+int xauth_login_ldap(struct ph1handle *, char *, char *);
 #endif
 
 #endif /* _ISAKMP_XAUTH_H */

Index: isakmp_cfg.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_cfg.c,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -d -r1.50 -r1.51
--- isakmp_cfg.c	7 Jun 2006 11:32:31 -0000	1.50
+++ isakmp_cfg.c	24 Jun 2006 07:40:23 -0000	1.51
@@ -775,6 +775,7 @@
 	struct isakmp_data *attr;
 {
 	int type;
+	int confsource;
 	in_addr_t addr4;
 
 	type = ntohs(attr->type);
@@ -788,12 +789,30 @@
 		return NULL;
 	}
 
+	confsource = isakmp_cfg_config.confsource;
+	/*
+	 * If we have to fall back to a local
+	 * configuration source, we will jump
+	 * back to this point.
+	 */
+retry_source:
+
 	switch(type) {
 	case INTERNAL_IP4_ADDRESS:
-		switch(isakmp_cfg_config.confsource) {
+		switch(confsource) {
+#ifdef HAVE_LIBLDAP
+		case ISAKMP_CFG_CONF_LDAP:
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
+			    break;
+			plog(LLV_INFO, LOCATION, NULL, 
+			    "No IP from LDAP, using local pool\n");
+			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
+#endif
 #ifdef HAVE_LIBRADIUS
 		case ISAKMP_CFG_CONF_RADIUS:
-			if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS)
+			if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
 			    && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
 			    /*
 			     * -2 is 255.255.255.254, RADIUS uses that
@@ -803,6 +822,8 @@
 			plog(LLV_INFO, LOCATION, NULL, 
 			    "No IP from RADIUS, using local pool\n");
 			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
 #endif
 		case ISAKMP_CFG_CONF_LOCAL:
 			if (isakmp_cfg_getport(iph1) == -1) {
@@ -830,14 +851,26 @@
 		break;
 
 	case INTERNAL_IP4_NETMASK:
-		switch(isakmp_cfg_config.confsource) {
+		switch(confsource) {
+#ifdef HAVE_LIBLDAP
+		case ISAKMP_CFG_CONF_LDAP:
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
+				break;
+			plog(LLV_INFO, LOCATION, NULL, 
+			    "No mask from LDAP, using local pool\n");
+			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
+#endif
 #ifdef HAVE_LIBRADIUS
 		case ISAKMP_CFG_CONF_RADIUS:
-			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_RADIUS)
+			if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
 				break;
 			plog(LLV_INFO, LOCATION, NULL, 
 			    "No mask from RADIUS, using local pool\n");
 			/* FALLTHROUGH */
+			confsource = ISAKMP_CFG_CONF_LOCAL;
+			goto retry_source;
 #endif
 		case ISAKMP_CFG_CONF_LOCAL:
 			iph1->mode_cfg->mask4.s_addr 
@@ -1827,8 +1860,11 @@
 	 * we are a client or a server.
 	 */
 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
+#ifdef HAVE_LIBLDAP
+	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
+#endif
 #ifdef HAVE_LIBRADIUS
-	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS) ||
+	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
 #endif
 	    (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
 		inet_ntop(AF_INET, &iph1->mode_cfg->addr4, 

Index: cfparse.y
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/cfparse.y,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -d -r1.60 -r1.61
--- cfparse.y	20 Jun 2006 20:31:30 -0000	1.60
+++ cfparse.y	24 Jun 2006 07:40:23 -0000	1.61
@@ -194,8 +194,8 @@
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE
-%token LDAP_BIND_DN LDAP_BIND_PW LDAP_ATTR_USER LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW
+%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_SUBTREE
 	/* modecfg */
 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
 %token CFG_AUTH_SOURCE CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
@@ -607,6 +607,28 @@
 #endif
 		}
 		EOS
+	|	LDAP_ATTR_ADDR QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_addr != NULL)
+				vfree(xauth_ldap_config.attr_addr);
+			xauth_ldap_config.attr_addr = vdup($2);
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_ATTR_MASK QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.attr_mask != NULL)
+				vfree(xauth_ldap_config.attr_mask);
+			xauth_ldap_config.attr_mask = vdup($2);
+#endif
+#endif
+		}
+		EOS
 	;
 
 	/* modecfg */
@@ -825,6 +847,19 @@
 #endif /* ENABLE_HYBRID */
 		}
 		EOS
+	|	CFG_CONF_SOURCE CFG_LDAP
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
+#else /* HAVE_LIBLDAP */
+			yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+			yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+		}
+		EOS
 	|	CFG_MOTD QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: isakmp_xauth.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_xauth.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- isakmp_xauth.c	20 Jun 2006 20:31:33 -0000	1.34
+++ isakmp_xauth.c	24 Jun 2006 07:40:23 -0000	1.35
@@ -109,6 +109,7 @@
 
 #ifdef HAVE_LIBLDAP
 #include "ldap.h"
+#include <arpa/inet.h>
 struct xauth_ldap_config xauth_ldap_config;
 #endif
 
@@ -285,7 +286,7 @@
 #endif
 #ifdef HAVE_LIBLDAP
 		case ISAKMP_CFG_AUTH_LDAP:
-			res = xauth_login_ldap(usr, pwd);
+			res = xauth_login_ldap(iph1, usr, pwd);
 			break;
 #endif
 		default:
@@ -519,13 +520,13 @@
 			case RAD_FRAMED_IP_ADDRESS:
 				iph1->mode_cfg->addr4 = rad_cvt_addr(data);
 				iph1->mode_cfg->flags 
-				    |= ISAKMP_CFG_ADDR4_RADIUS;
+				    |= ISAKMP_CFG_ADDR4_EXTERN;
 				break;
 
 			case RAD_FRAMED_IP_NETMASK:
 				iph1->mode_cfg->mask4 = rad_cvt_addr(data);
 				iph1->mode_cfg->flags 
-				    |= ISAKMP_CFG_MASK4_RADIUS;
+				    |= ISAKMP_CFG_MASK4_EXTERN;
 				break;
 
 			default:
@@ -710,6 +711,7 @@
 
 int xauth_ldap_init(void)
 {
+	int tmplen;
 	xauth_ldap_config.pver = 3;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
@@ -719,24 +721,43 @@
 	xauth_ldap_config.bind_pw = NULL;
 	xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
 	xauth_ldap_config.attr_user = NULL;
+	xauth_ldap_config.attr_addr = NULL;
+	xauth_ldap_config.attr_mask = NULL;
 
-	/* set defualt host to localhost */
-	xauth_ldap_config.host = vmalloc(10);
+	/* set default host */
+	tmplen = strlen(LDAP_DFLT_HOST);
+	xauth_ldap_config.host = vmalloc(tmplen);
 	if (xauth_ldap_config.host == NULL )
 		return -1;
-	memcpy(xauth_ldap_config.host->v, "localhost", 10);
+	memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
 
-	/* set default user attribute to cn */
-	xauth_ldap_config.attr_user = vmalloc(3);
+	/* set default user attribute */
+	tmplen = strlen(LDAP_DFLT_USER);
+	xauth_ldap_config.attr_user = vmalloc(tmplen);
 	if (xauth_ldap_config.attr_user == NULL )
 		return -1;
-	memcpy(xauth_ldap_config.attr_user->v, "cn", 3);
+	memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
+
+	/* set default address attribute */
+	tmplen = strlen(LDAP_DFLT_ADDR);
+	xauth_ldap_config.attr_addr = vmalloc(tmplen);
+	if (xauth_ldap_config.attr_addr == NULL )
+		return -1;
+	memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
+
+	/* set default netmask attribute */
+	tmplen = strlen(LDAP_DFLT_MASK);
+	xauth_ldap_config.attr_mask = vmalloc(tmplen);
+	if (xauth_ldap_config.attr_mask == NULL )
+		return -1;
+	memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
 
 	return 0;
 }
 
 int
-xauth_login_ldap(usr, pwd)
+xauth_login_ldap(iph1, usr, pwd)
+	struct ph1handle *iph1;
 	char *usr;
 	char *pwd;
 {
@@ -745,13 +766,20 @@
 	LDAP *ld = NULL;
 	LDAPMessage *lr = NULL;
 	LDAPMessage *le = NULL;
+	BerElement *be = NULL;
 	char *filter = NULL;
+	char *atlist[3];
+	char *attrib = NULL;
 	char *basedn = NULL;
 	char *userdn = NULL;
-	int fltlen = 0;
+	int tmplen = 0;
 	int ecount = 0;
 	int scope = LDAP_SCOPE_ONE;
 
+	atlist[0] = NULL;
+	atlist[1] = NULL;
+	atlist[2] = NULL;
+
 	/* initialize the ldap handle */
 	ld = ldap_init(
 		xauth_ldap_config.host->v,
@@ -796,11 +824,11 @@
 	}
 
 	/* build an ldap user search filter */
-	fltlen = strlen(xauth_ldap_config.attr_user->v);
-	fltlen += 1;
-	fltlen += strlen(usr);
-	fltlen += 1;
-	filter = racoon_malloc(fltlen);
+	tmplen = strlen(xauth_ldap_config.attr_user->v);
+	tmplen += 1;
+	tmplen += strlen(usr);
+	tmplen += 1;
+	filter = racoon_malloc(tmplen);
 	if (filter == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"unable to alloc ldap search filter buffer\n");
@@ -809,13 +837,26 @@
 	sprintf(filter, "%s=%s",
 		xauth_ldap_config.attr_user->v, usr);
 
+	/* build our return attribute list */
+	tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
+	atlist[0] = racoon_malloc(tmplen);
+	tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
+	atlist[1] = racoon_malloc(tmplen);
+	if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"unable to alloc ldap attrib list buffer\n");
+		goto ldap_end;
+	}
+	strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
+	strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
+
 	/* attempt to locate the user dn */
 	if (xauth_ldap_config.base != NULL)
 		basedn = xauth_ldap_config.base->v;
 	if (xauth_ldap_config.subtree)
 		scope = LDAP_SCOPE_SUBTREE;
 	res = ldap_search_s(ld,	basedn, scope,
-		filter, NULL, 0, &lr);
+		filter, atlist, 0, &lr);
 	if (res != LDAP_SUCCESS) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"ldap_search_s failed: %s\n",
@@ -851,6 +892,37 @@
 		goto ldap_end;
 	}
 
+	/* retrieve address and netmask */
+	attrib = ldap_first_attribute(ld, le, &be);
+	while(attrib != NULL) {
+
+		char ** avals = ldap_get_values(ld, le, attrib);
+
+		/* address attribute value */
+		if(!strcmp(xauth_ldap_config.attr_addr->v, attrib)) {
+			plog(LLV_INFO, LOCATION, NULL,
+				"ldap returned user address %s\n", avals[0]);
+
+			iph1->mode_cfg->addr4.s_addr = inet_addr(avals[0]);
+			iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
+		}
+
+		/* netmask attribute value */
+		if(!strcmp(xauth_ldap_config.attr_mask->v, attrib)) {
+			plog(LLV_INFO, LOCATION, NULL,
+				"ldap returned user netmask %s\n", avals[0]);
+
+			iph1->mode_cfg->mask4.s_addr = inet_addr(avals[0]);
+			iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
+		}
+
+		ldap_value_free(avals);
+		racoon_free(attrib);
+
+		attrib = ldap_next_attribute(ld, le, be);
+	}
+	ber_free(be, 0);
+
 	/*
 	 * finally, use the dn and the xauth
 	 * password to check the users given
@@ -868,6 +940,10 @@
 	/* free ldap resources */
 	if (userdn != NULL)
 		ldap_memfree(userdn);
+	if (atlist[0] != NULL)
+		racoon_free(atlist[0]);
+	if (atlist[1] != NULL)
+		racoon_free(atlist[1]);
 	if (filter != NULL)
 		racoon_free(filter);
 	if (lr != NULL)

Index: cftoken.l
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/cftoken.l,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -d -r1.48 -r1.49
--- cftoken.l	20 Jun 2006 20:31:30 -0000	1.48
+++ cftoken.l	24 Jun 2006 07:40:23 -0000	1.49
@@ -227,6 +227,8 @@
 <S_LDAP>bind_dn		{ YYD; return(LDAP_BIND_DN); }
 <S_LDAP>bind_pw		{ YYD; return(LDAP_BIND_PW); }
 <S_LDAP>attr_user	{ YYD; return(LDAP_ATTR_USER); }
+<S_LDAP>attr_addr	{ YYD; return(LDAP_ATTR_ADDR); }
+<S_LDAP>attr_mask	{ YYD; return(LDAP_ATTR_MASK); }
 <S_LDAP>{ecl}		{ BEGIN S_INI; return(EOC); }
 
 	/* mode_cfg */

Index: racoon.conf.5
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/racoon.conf.5,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- racoon.conf.5	20 Jun 2006 20:31:34 -0000	1.49
+++ racoon.conf.5	24 Jun 2006 07:40:24 -0000	1.50
@@ -1049,7 +1049,7 @@
 adding statements to the
 .Ic ldapcfg
 section.
-.It Ic conf_source (local | radius) ;
+.It Ic conf_source (local | radius | ldap) ;
 Specify the source for IP addresses and netmask allocated through ISAKMP
 mode config.
 .Ar local
@@ -1066,6 +1066,14 @@
 was build with libradius support, and the configuration is done in
 .Xr radius.conf 5 .
 RADIUS configuration requires RADIUS authentication.
+.Ar ldap
+means to use an LDAP server.
+It works only if
+.Xr racoon 8
+was build with libldap support, and the configuration is done in the
+.Ic ldapcfg
+section.
+LDAP configuration requires LDAP authentication.
 .It Ic accounting (none | system | radius | pam) ;
 Enable or disable accounting for Xauth logins and logouts.
 Default is
@@ -1179,6 +1187,14 @@
 if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
 The default value is
 .Ic cn .
+.It Ic attr_addr Ar attribute name;
+.It Ic attr_mask Ar attribute name;
+The attributes used to specify a users network address and subnet mask in an
+ldap directory. These values are forwarded during mode_cfg negotiation when
+the conf_source is set to ldap. The default values are
+.Ic racoon-address
+and
+.Ic racoon-netmask .
 .El
 .El
 .Ss Special directives