1 /***************************************************************************
2 * Copyright (C) 2005-2015 by the Quassel Project *
3 * devel@quassel-irc.org *
5 * This program is free software; you can redistribute it and/or modify *
6 * it under the terms of the GNU General Public License as published by *
7 * the Free Software Foundation; either version 2 of the License, or *
8 * (at your option) version 3. *
10 * This program is distributed in the hope that it will be useful, *
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
13 * GNU General Public License for more details. *
15 * You should have received a copy of the GNU General Public License *
16 * along with this program; if not, write to the *
17 * Free Software Foundation, Inc., *
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. *
19 ***************************************************************************/
21 /* This file contains an implementation of an LDAP Authenticator, as an example
22 * of what a custom external auth provider could do.
24 * It's based off of this pull request for quassel by abustany:
25 * https://github.com/quassel/quassel/pull/4/
29 #include "ldapauthenticator.h"
38 LdapAuthenticator::LdapAuthenticator(QObject *parent)
39 : Authenticator(parent),
45 LdapAuthenticator::~LdapAuthenticator()
49 ldap_unbind_ext(_connection, 0, 0);
54 bool LdapAuthenticator::isAvailable() const
56 // XXX: probably this should test if we can speak to the LDAP server.
60 QString LdapAuthenticator::displayName() const
62 // We identify the backend to use for the monolithic core by its displayname.
63 // so only change this string if you _really_ have to and make sure the core
64 // setup for the mono client still works ;)
65 return QString("LDAP");
68 QString LdapAuthenticator::description() const
70 return tr("Authenticate users using an LDAP server.");
73 QStringList LdapAuthenticator::setupKeys() const
75 // The parameters needed for LDAP.
87 QVariantMap LdapAuthenticator::setupDefaults() const
90 map["Hostname"] = QVariant(QString("ldap://localhost"));
91 map["Port"] = QVariant(DEFAULT_LDAP_PORT);
92 map["UID Attribute"] = QVariant(QString("uid"));
96 void LdapAuthenticator::setConnectionProperties(const QVariantMap &properties)
98 _hostName = properties["Hostname"].toString();
99 _port = properties["Port"].toInt();
100 _baseDN = properties["Base DN"].toString();
101 _filter = properties["Filter"].toString();
102 _bindDN = properties["Bind DN"].toString();
103 _bindPassword = properties["Bind Password"].toString();
104 _uidAttribute = properties["UID Attribute"].toString();
107 // XXX: this code is sufficiently general that in the future, perhaps an abstract
108 // class should be created implementing it.
109 // i.e. a provider that does its own thing and then pokes at the current storage
110 // through the default core method.
111 UserId LdapAuthenticator::validateUser(const QString &username, const QString &password)
113 bool result = ldapAuth(username, password);
119 // If auth succeeds, but the user has not logged into quassel previously, make
120 // a new user for them and return that ID.
121 // Users created via LDAP have empty passwords, but authenticator column = LDAP.
122 // On the other hand, if auth succeeds and the user already exists, do a final
123 // cross-check to confirm we're using the right auth provider.
124 UserId quasselID = Core::validateUser(username, QString());
125 if (!quasselID.isValid())
127 return Core::addUser(username, QString(), displayName());
129 else if (!(Core::checkAuthProvider(quasselID, displayName())))
136 bool LdapAuthenticator::setup(const QVariantMap &settings)
138 setConnectionProperties(settings);
139 bool status = ldapConnect();
143 Authenticator::State LdapAuthenticator::init(const QVariantMap &settings)
145 setConnectionProperties(settings);
147 bool status = ldapConnect();
150 quInfo() << qPrintable(displayName()) << "Authenticator cannot connect.";
154 quInfo() << qPrintable(displayName()) << "Authenticator is ready.";
158 // Method based on abustany LDAP quassel patch.
159 bool LdapAuthenticator::ldapConnect()
161 if (_connection != 0) {
165 int res, v = LDAP_VERSION3;
168 QByteArray serverURIArray;
170 // Convert info to hostname:port.
171 serverURI = _hostName + ":" + QString::number(_port);
172 serverURIArray = serverURI.toLocal8Bit();
173 res = ldap_initialize(&_connection, serverURIArray);
175 if (res != LDAP_SUCCESS) {
176 qWarning() << "Could not connect to LDAP server:" << ldap_err2string(res);
180 res = ldap_set_option(_connection, LDAP_OPT_PROTOCOL_VERSION, (void*)&v);
182 if (res != LDAP_SUCCESS) {
183 qWarning() << "Could not set LDAP protocol version to v3:" << ldap_err2string(res);
184 ldap_unbind_ext(_connection, 0, 0);
192 void LdapAuthenticator::ldapDisconnect()
194 if (_connection == 0) {
198 ldap_unbind_ext(_connection, 0, 0);
202 bool LdapAuthenticator::ldapAuth(const QString &username, const QString &password)
204 if (password.isEmpty()) {
210 // Attempt to establish a connection.
211 if (_connection == 0) {
212 if (not ldapConnect()) {
219 // Convert some things to byte arrays as needed.
220 QByteArray bindPassword = _bindPassword.toLocal8Bit();
221 QByteArray bindDN = _bindDN.toLocal8Bit();
222 QByteArray baseDN = _baseDN.toLocal8Bit();
223 QByteArray uidAttribute = _uidAttribute.toLocal8Bit();
225 cred.bv_val = const_cast<char*>(bindPassword.size() > 0 ? bindPassword.constData() : NULL);
226 cred.bv_len = bindPassword.size();
228 res = ldap_sasl_bind_s(_connection, bindDN.size() > 0 ? bindDN.constData() : 0, LDAP_SASL_SIMPLE, &cred, 0, 0, 0);
230 if (res != LDAP_SUCCESS) {
231 qWarning() << "Refusing connection from" << username << "(LDAP bind failed:" << ldap_err2string(res) << ")";
236 LDAPMessage *msg = NULL, *entry = NULL;
238 const QByteArray ldapQuery = "(&(" + uidAttribute + '=' + username.toLocal8Bit() + ")" + _filter.toLocal8Bit() + ")";
240 res = ldap_search_ext_s(_connection, baseDN.constData(), LDAP_SCOPE_SUBTREE, ldapQuery.constData(), 0, 0, 0, 0, 0, 0, &msg);
242 if (res != LDAP_SUCCESS) {
243 qWarning() << "Refusing connection from" << username << "(LDAP search failed:" << ldap_err2string(res) << ")";
247 if (ldap_count_entries(_connection, msg) > 1) {
248 qWarning() << "Refusing connection from" << username << "(LDAP search returned more than one result)";
253 entry = ldap_first_entry(_connection, msg);
256 qWarning() << "Refusing connection from" << username << "(LDAP search returned no results)";
261 const QByteArray passwordArray = password.toLocal8Bit();
262 cred.bv_val = const_cast<char*>(passwordArray.constData());
263 cred.bv_len = password.size();
265 char *userDN = ldap_get_dn(_connection, entry);
267 res = ldap_sasl_bind_s(_connection, userDN, LDAP_SASL_SIMPLE, &cred, 0, 0, 0);
269 if (res != LDAP_SUCCESS) {
270 qWarning() << "Refusing connection from" << username << "(LDAP authentication failed)";
271 ldap_memfree(userDN);
276 // The original implementation had requiredAttributes. I have not included this code
277 // but it would be easy to re-add if someone wants this feature.
278 // Ben Rosser <bjr@acm.jhu.edu> (12/23/15).
280 ldap_memfree(userDN);