Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon In directory sc8-pr-cvs2.sourceforge.net:/tmp/cvs-serv2903/src/racoon Modified Files: cfparse.y cftoken.l isakmp_cfg.c isakmp_cfg.h isakmp_xauth.c isakmp_xauth.h racoon.conf.5 Log Message: >From Matthew Grooms <mg...@sh...>: get mode config from LDAP Index: isakmp_cfg.h =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_cfg.h,v retrieving revision 1.17 retrieving revision 1.18 diff -u -d -r1.17 -r1.18 --- isakmp_cfg.h 20 Jun 2006 20:31:33 -0000 1.17 +++ isakmp_cfg.h 24 Jun 2006 07:40:23 -0000 1.18 @@ -122,6 +122,7 @@ /* For confsource */ #define ISAKMP_CFG_CONF_LOCAL 0 #define ISAKMP_CFG_CONF_RADIUS 1 +#define ISAKMP_CFG_CONF_LDAP 2 /* For accounting */ #define ISAKMP_CFG_ACCT_NONE 0 @@ -171,8 +172,8 @@ #define ISAKMP_CFG_VENDORID_XAUTH 0x01 /* Supports Xauth */ #define ISAKMP_CFG_VENDORID_UNITY 0x02 /* Cisco Unity compliant */ #define ISAKMP_CFG_PORT_ALLOCATED 0x04 /* Port allocated */ -#define ISAKMP_CFG_ADDR4_RADIUS 0x08 /* Address from RADIUS */ -#define ISAKMP_CFG_MASK4_RADIUS 0x10 /* Netmask from RADIUS */ +#define ISAKMP_CFG_ADDR4_EXTERN 0x08 /* Address from external config */ +#define ISAKMP_CFG_MASK4_EXTERN 0x10 /* Netmask from external config */ #define ISAKMP_CFG_ADDR4_LOCAL 0x20 /* Address from local pool */ #define ISAKMP_CFG_MASK4_LOCAL 0x40 /* Netmask from local pool */ #define ISAKMP_CFG_GOT_ADDR4 0x80 /* Client got address */ Index: isakmp_xauth.h =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_xauth.h,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- isakmp_xauth.h 20 Jun 2006 20:31:33 -0000 1.10 +++ isakmp_xauth.h 24 Jun 2006 07:40:24 -0000 1.11 @@ -116,6 +116,12 @@ #endif #ifdef HAVE_LIBLDAP + +#define LDAP_DFLT_HOST "localhost" +#define LDAP_DFLT_USER "cn" +#define LDAP_DFLT_ADDR "racoon-address" +#define LDAP_DFLT_MASK "racoon-netmask" + struct xauth_ldap_config { int pver; vchar_t *host; @@ -126,12 +132,14 @@ vchar_t *bind_pw; int auth_type; vchar_t *attr_user; + vchar_t *attr_addr; + vchar_t *attr_mask; }; extern struct xauth_ldap_config xauth_ldap_config; int xauth_ldap_init(void); -int xauth_login_ldap(char *, char *); +int xauth_login_ldap(struct ph1handle *, char *, char *); #endif #endif /* _ISAKMP_XAUTH_H */ Index: isakmp_cfg.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_cfg.c,v retrieving revision 1.50 retrieving revision 1.51 diff -u -d -r1.50 -r1.51 --- isakmp_cfg.c 7 Jun 2006 11:32:31 -0000 1.50 +++ isakmp_cfg.c 24 Jun 2006 07:40:23 -0000 1.51 @@ -775,6 +775,7 @@ struct isakmp_data *attr; { int type; + int confsource; in_addr_t addr4; type = ntohs(attr->type); @@ -788,12 +789,30 @@ return NULL; } + confsource = isakmp_cfg_config.confsource; + /* + * If we have to fall back to a local + * configuration source, we will jump + * back to this point. + */ +retry_source: + switch(type) { case INTERNAL_IP4_ADDRESS: - switch(isakmp_cfg_config.confsource) { + switch(confsource) { +#ifdef HAVE_LIBLDAP + case ISAKMP_CFG_CONF_LDAP: + if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) + break; + plog(LLV_INFO, LOCATION, NULL, + "No IP from LDAP, using local pool\n"); + /* FALLTHROUGH */ + confsource = ISAKMP_CFG_CONF_LOCAL; + goto retry_source; +#endif #ifdef HAVE_LIBRADIUS case ISAKMP_CFG_CONF_RADIUS: - if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS) + if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) /* * -2 is 255.255.255.254, RADIUS uses that @@ -803,6 +822,8 @@ plog(LLV_INFO, LOCATION, NULL, "No IP from RADIUS, using local pool\n"); /* FALLTHROUGH */ + confsource = ISAKMP_CFG_CONF_LOCAL; + goto retry_source; #endif case ISAKMP_CFG_CONF_LOCAL: if (isakmp_cfg_getport(iph1) == -1) { @@ -830,14 +851,26 @@ break; case INTERNAL_IP4_NETMASK: - switch(isakmp_cfg_config.confsource) { + switch(confsource) { +#ifdef HAVE_LIBLDAP + case ISAKMP_CFG_CONF_LDAP: + if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) + break; + plog(LLV_INFO, LOCATION, NULL, + "No mask from LDAP, using local pool\n"); + /* FALLTHROUGH */ + confsource = ISAKMP_CFG_CONF_LOCAL; + goto retry_source; +#endif #ifdef HAVE_LIBRADIUS case ISAKMP_CFG_CONF_RADIUS: - if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_RADIUS) + if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) break; plog(LLV_INFO, LOCATION, NULL, "No mask from RADIUS, using local pool\n"); /* FALLTHROUGH */ + confsource = ISAKMP_CFG_CONF_LOCAL; + goto retry_source; #endif case ISAKMP_CFG_CONF_LOCAL: iph1->mode_cfg->mask4.s_addr @@ -1827,8 +1860,11 @@ * we are a client or a server. */ if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || +#ifdef HAVE_LIBLDAP + (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || +#endif #ifdef HAVE_LIBRADIUS - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_RADIUS) || + (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || #endif (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { inet_ntop(AF_INET, &iph1->mode_cfg->addr4, Index: cfparse.y =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/cfparse.y,v retrieving revision 1.60 retrieving revision 1.61 diff -u -d -r1.60 -r1.61 --- cfparse.y 20 Jun 2006 20:31:30 -0000 1.60 +++ cfparse.y 24 Jun 2006 07:40:23 -0000 1.61 @@ -194,8 +194,8 @@ /* listen */ %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED /* ldap config */ -%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE -%token LDAP_BIND_DN LDAP_BIND_PW LDAP_ATTR_USER LDAP_SUBTREE +%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW +%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_SUBTREE /* modecfg */ %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN %token CFG_AUTH_SOURCE CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE @@ -607,6 +607,28 @@ #endif } EOS + | LDAP_ATTR_ADDR QUOTEDSTRING + { +#ifdef ENABLE_HYBRID +#ifdef HAVE_LIBLDAP + if (xauth_ldap_config.attr_addr != NULL) + vfree(xauth_ldap_config.attr_addr); + xauth_ldap_config.attr_addr = vdup($2); +#endif +#endif + } + EOS + | LDAP_ATTR_MASK QUOTEDSTRING + { +#ifdef ENABLE_HYBRID +#ifdef HAVE_LIBLDAP + if (xauth_ldap_config.attr_mask != NULL) + vfree(xauth_ldap_config.attr_mask); + xauth_ldap_config.attr_mask = vdup($2); +#endif +#endif + } + EOS ; /* modecfg */ @@ -825,6 +847,19 @@ #endif /* ENABLE_HYBRID */ } EOS + | CFG_CONF_SOURCE CFG_LDAP + { +#ifdef ENABLE_HYBRID +#ifdef HAVE_LIBLDAP + isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; +#else /* HAVE_LIBLDAP */ + yyerror("racoon not configured with --with-libldap"); +#endif /* HAVE_LIBLDAP */ +#else /* ENABLE_HYBRID */ + yyerror("racoon not configured with --enable-hybrid"); +#endif /* ENABLE_HYBRID */ + } + EOS | CFG_MOTD QUOTEDSTRING { #ifdef ENABLE_HYBRID Index: isakmp_xauth.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_xauth.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -d -r1.34 -r1.35 --- isakmp_xauth.c 20 Jun 2006 20:31:33 -0000 1.34 +++ isakmp_xauth.c 24 Jun 2006 07:40:23 -0000 1.35 @@ -109,6 +109,7 @@ #ifdef HAVE_LIBLDAP #include "ldap.h" +#include <arpa/inet.h> struct xauth_ldap_config xauth_ldap_config; #endif @@ -285,7 +286,7 @@ #endif #ifdef HAVE_LIBLDAP case ISAKMP_CFG_AUTH_LDAP: - res = xauth_login_ldap(usr, pwd); + res = xauth_login_ldap(iph1, usr, pwd); break; #endif default: @@ -519,13 +520,13 @@ case RAD_FRAMED_IP_ADDRESS: iph1->mode_cfg->addr4 = rad_cvt_addr(data); iph1->mode_cfg->flags - |= ISAKMP_CFG_ADDR4_RADIUS; + |= ISAKMP_CFG_ADDR4_EXTERN; break; case RAD_FRAMED_IP_NETMASK: iph1->mode_cfg->mask4 = rad_cvt_addr(data); iph1->mode_cfg->flags - |= ISAKMP_CFG_MASK4_RADIUS; + |= ISAKMP_CFG_MASK4_EXTERN; break; default: @@ -710,6 +711,7 @@ int xauth_ldap_init(void) { + int tmplen; xauth_ldap_config.pver = 3; xauth_ldap_config.host = NULL; xauth_ldap_config.port = LDAP_PORT; @@ -719,24 +721,43 @@ xauth_ldap_config.bind_pw = NULL; xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; xauth_ldap_config.attr_user = NULL; + xauth_ldap_config.attr_addr = NULL; + xauth_ldap_config.attr_mask = NULL; - /* set defualt host to localhost */ - xauth_ldap_config.host = vmalloc(10); + /* set default host */ + tmplen = strlen(LDAP_DFLT_HOST); + xauth_ldap_config.host = vmalloc(tmplen); if (xauth_ldap_config.host == NULL ) return -1; - memcpy(xauth_ldap_config.host->v, "localhost", 10); + memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); - /* set default user attribute to cn */ - xauth_ldap_config.attr_user = vmalloc(3); + /* set default user attribute */ + tmplen = strlen(LDAP_DFLT_USER); + xauth_ldap_config.attr_user = vmalloc(tmplen); if (xauth_ldap_config.attr_user == NULL ) return -1; - memcpy(xauth_ldap_config.attr_user->v, "cn", 3); + memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); + + /* set default address attribute */ + tmplen = strlen(LDAP_DFLT_ADDR); + xauth_ldap_config.attr_addr = vmalloc(tmplen); + if (xauth_ldap_config.attr_addr == NULL ) + return -1; + memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); + + /* set default netmask attribute */ + tmplen = strlen(LDAP_DFLT_MASK); + xauth_ldap_config.attr_mask = vmalloc(tmplen); + if (xauth_ldap_config.attr_mask == NULL ) + return -1; + memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); return 0; } int -xauth_login_ldap(usr, pwd) +xauth_login_ldap(iph1, usr, pwd) + struct ph1handle *iph1; char *usr; char *pwd; { @@ -745,13 +766,20 @@ LDAP *ld = NULL; LDAPMessage *lr = NULL; LDAPMessage *le = NULL; + BerElement *be = NULL; char *filter = NULL; + char *atlist[3]; + char *attrib = NULL; char *basedn = NULL; char *userdn = NULL; - int fltlen = 0; + int tmplen = 0; int ecount = 0; int scope = LDAP_SCOPE_ONE; + atlist[0] = NULL; + atlist[1] = NULL; + atlist[2] = NULL; + /* initialize the ldap handle */ ld = ldap_init( xauth_ldap_config.host->v, @@ -796,11 +824,11 @@ } /* build an ldap user search filter */ - fltlen = strlen(xauth_ldap_config.attr_user->v); - fltlen += 1; - fltlen += strlen(usr); - fltlen += 1; - filter = racoon_malloc(fltlen); + tmplen = strlen(xauth_ldap_config.attr_user->v); + tmplen += 1; + tmplen += strlen(usr); + tmplen += 1; + filter = racoon_malloc(tmplen); if (filter == NULL) { plog(LLV_ERROR, LOCATION, NULL, "unable to alloc ldap search filter buffer\n"); @@ -809,13 +837,26 @@ sprintf(filter, "%s=%s", xauth_ldap_config.attr_user->v, usr); + /* build our return attribute list */ + tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; + atlist[0] = racoon_malloc(tmplen); + tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; + atlist[1] = racoon_malloc(tmplen); + if ((atlist[0] == NULL)||(atlist[1] == NULL)) { + plog(LLV_ERROR, LOCATION, NULL, + "unable to alloc ldap attrib list buffer\n"); + goto ldap_end; + } + strcpy(atlist[0],xauth_ldap_config.attr_addr->v); + strcpy(atlist[1],xauth_ldap_config.attr_mask->v); + /* attempt to locate the user dn */ if (xauth_ldap_config.base != NULL) basedn = xauth_ldap_config.base->v; if (xauth_ldap_config.subtree) scope = LDAP_SCOPE_SUBTREE; res = ldap_search_s(ld, basedn, scope, - filter, NULL, 0, &lr); + filter, atlist, 0, &lr); if (res != LDAP_SUCCESS) { plog(LLV_ERROR, LOCATION, NULL, "ldap_search_s failed: %s\n", @@ -851,6 +892,37 @@ goto ldap_end; } + /* retrieve address and netmask */ + attrib = ldap_first_attribute(ld, le, &be); + while(attrib != NULL) { + + char ** avals = ldap_get_values(ld, le, attrib); + + /* address attribute value */ + if(!strcmp(xauth_ldap_config.attr_addr->v, attrib)) { + plog(LLV_INFO, LOCATION, NULL, + "ldap returned user address %s\n", avals[0]); + + iph1->mode_cfg->addr4.s_addr = inet_addr(avals[0]); + iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; + } + + /* netmask attribute value */ + if(!strcmp(xauth_ldap_config.attr_mask->v, attrib)) { + plog(LLV_INFO, LOCATION, NULL, + "ldap returned user netmask %s\n", avals[0]); + + iph1->mode_cfg->mask4.s_addr = inet_addr(avals[0]); + iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; + } + + ldap_value_free(avals); + racoon_free(attrib); + + attrib = ldap_next_attribute(ld, le, be); + } + ber_free(be, 0); + /* * finally, use the dn and the xauth * password to check the users given @@ -868,6 +940,10 @@ /* free ldap resources */ if (userdn != NULL) ldap_memfree(userdn); + if (atlist[0] != NULL) + racoon_free(atlist[0]); + if (atlist[1] != NULL) + racoon_free(atlist[1]); if (filter != NULL) racoon_free(filter); if (lr != NULL) Index: cftoken.l =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/cftoken.l,v retrieving revision 1.48 retrieving revision 1.49 diff -u -d -r1.48 -r1.49 --- cftoken.l 20 Jun 2006 20:31:30 -0000 1.48 +++ cftoken.l 24 Jun 2006 07:40:23 -0000 1.49 @@ -227,6 +227,8 @@ <S_LDAP>bind_dn { YYD; return(LDAP_BIND_DN); } <S_LDAP>bind_pw { YYD; return(LDAP_BIND_PW); } <S_LDAP>attr_user { YYD; return(LDAP_ATTR_USER); } +<S_LDAP>attr_addr { YYD; return(LDAP_ATTR_ADDR); } +<S_LDAP>attr_mask { YYD; return(LDAP_ATTR_MASK); } <S_LDAP>{ecl} { BEGIN S_INI; return(EOC); } /* mode_cfg */ Index: racoon.conf.5 =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/racoon.conf.5,v retrieving revision 1.49 retrieving revision 1.50 diff -u -d -r1.49 -r1.50 --- racoon.conf.5 20 Jun 2006 20:31:34 -0000 1.49 +++ racoon.conf.5 24 Jun 2006 07:40:24 -0000 1.50 @@ -1049,7 +1049,7 @@ adding statements to the .Ic ldapcfg section. -.It Ic conf_source (local | radius) ; +.It Ic conf_source (local | radius | ldap) ; Specify the source for IP addresses and netmask allocated through ISAKMP mode config. .Ar local @@ -1066,6 +1066,14 @@ was build with libradius support, and the configuration is done in .Xr radius.conf 5 . RADIUS configuration requires RADIUS authentication. +.Ar ldap +means to use an LDAP server. +It works only if +.Xr racoon 8 +was build with libldap support, and the configuration is done in the +.Ic ldapcfg +section. +LDAP configuration requires LDAP authentication. .It Ic accounting (none | system | radius | pam) ; Enable or disable accounting for Xauth logins and logouts. Default is @@ -1179,6 +1187,14 @@ if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn". The default value is .Ic cn . +.It Ic attr_addr Ar attribute name; +.It Ic attr_mask Ar attribute name; +The attributes used to specify a users network address and subnet mask in an +ldap directory. These values are forwarded during mode_cfg negotiation when +the conf_source is set to ldap. The default values are +.Ic racoon-address +and +.Ic racoon-netmask . .El .El .Ss Special directives |