]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_ldap.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
6 #include "common/ceph_crypto.h"
7 #include "common/ceph_context.h"
8 #include "common/common_init.h"
9 #include "common/dout.h"
10 #include "common/safe_io.h"
11 #include <boost/algorithm/string.hpp>
13 #include "include/ceph_assert.h"
15 #define dout_subsys ceph_subsys_rgw
19 std::string
parse_rgw_ldap_bindpw(CephContext
* ctx
)
22 string ldap_secret
= ctx
->_conf
->rgw_ldap_secret
;
24 if (ldap_secret
.empty()) {
26 << __func__
<< " LDAP auth no rgw_ldap_secret file found in conf"
29 // FIPS zeroization audit 20191116: this memset is not intended to
30 // wipe out a secret after use.
32 memset(bindpw
, 0, 1024);
33 int pwlen
= safe_read_file("" /* base */, ldap_secret
.c_str(),
37 boost::algorithm::trim(ldap_bindpw
);
38 if (ldap_bindpw
.back() == '\n')
39 ldap_bindpw
.pop_back();
41 ::ceph::crypto::zeroize_for_security(bindpw
, sizeof(bindpw
));
47 #if defined(HAVE_OPENLDAP)
50 int LDAPHelper::auth(const std::string
&uid
, const std::string
&pwd
) {
54 filter
= "(&(objectClass=user)(sAMAccountName=";
59 if (searchfilter
.empty()) {
60 /* no search filter provided in config, we construct our own */
67 if (searchfilter
.find("@USERNAME@") != std::string::npos
) {
68 /* we need to substitute the @USERNAME@ placeholder */
69 filter
= searchfilter
;
70 filter
.replace(searchfilter
.find("@USERNAME@"), std::string("@USERNAME@").length(), uid
);
72 /* no placeholder for username, so we need to append our own username filter to the custom searchfilter */
74 filter
+= searchfilter
;
83 ldout(g_ceph_context
, 12)
84 << __func__
<< " search filter: " << filter
86 char *attrs
[] = { const_cast<char*>(dnattr
.c_str()), nullptr };
87 LDAPMessage
*answer
= nullptr, *entry
= nullptr;
90 lock_guard
guard(mtx
);
93 ret
= ldap_search_s(ldap
, searchdn
.c_str(), LDAP_SCOPE_SUBTREE
,
94 filter
.c_str(), attrs
, 0, &answer
);
95 if (ret
== LDAP_SUCCESS
) {
96 entry
= ldap_first_entry(ldap
, answer
);
98 char *dn
= ldap_get_dn(ldap
, entry
);
99 ret
= simple_bind(dn
, pwd
);
100 if (ret
!= LDAP_SUCCESS
) {
101 ldout(g_ceph_context
, 10)
102 << __func__
<< " simple_bind failed uid=" << uid
103 << "ldap err=" << ret
108 ldout(g_ceph_context
, 12)
109 << __func__
<< " ldap_search_s no user matching uid=" << uid
111 ret
= LDAP_NO_SUCH_ATTRIBUTE
; // fixup result
113 ldap_msgfree(answer
);
115 ldout(g_ceph_context
, 5)
116 << __func__
<< " ldap_search_s error uid=" << uid
117 << " ldap err=" << ret
119 /* search should never fail--try to rebind */
126 return (ret
== LDAP_SUCCESS
) ? ret
: -EACCES
;
127 } /* LDAPHelper::auth */
130 #endif /* defined(HAVE_OPENLDAP) */