mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-25 15:27:03 +01:00
ba463128ce
* scd/scdaemon.c: Switch to the new option parser and enable a global conf file. * dirmngr/dirmngr.c: Ditto. * g13/g13.c: Ditto. * g13/g13-syshelp.c: Ditto. Do not force verbose mode. * dirmngr/dirmngr_ldap.c: Switch to the new option parser. * dirmngr/dirmngr-client.c: Switch to the new option parser. -- This finalizes the switch to the new option parser. What's left is to remove the old argparser code from common. g13-syshelp does not anymore default to --verbose because that can now be enabled in /etc/gnupg/g13-syshelp.conf. GnuPG-bug-id: 4788 Signed-off-by: Werner Koch <wk@gnupg.org>
774 lines
21 KiB
C
774 lines
21 KiB
C
/* dirmngr-ldap.c - The LDAP helper for dirmngr.
|
|
* Copyright (C) 2004 g10 Code GmbH
|
|
* Copyright (C) 2010 Free Software Foundation, Inc.
|
|
*
|
|
* This file is part of GnuPG.
|
|
*
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
|
* SPDX-License-Identifier: GPL-3.0-or-later
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stddef.h>
|
|
#include <stdarg.h>
|
|
#include <string.h>
|
|
#ifdef HAVE_SIGNAL_H
|
|
# include <signal.h>
|
|
#endif
|
|
#include <errno.h>
|
|
#include <sys/time.h>
|
|
#include <unistd.h>
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
|
# include <winsock2.h>
|
|
# include <winldap.h>
|
|
# include <winber.h>
|
|
# include <fcntl.h>
|
|
# include "ldap-url.h"
|
|
#else
|
|
/* For OpenLDAP, to enable the API that we're using. */
|
|
# define LDAP_DEPRECATED 1
|
|
# include <ldap.h>
|
|
#endif
|
|
|
|
|
|
#include <gpg-error.h>
|
|
#include "../common/logging.h"
|
|
#include "../common/stringhelp.h"
|
|
#include "../common/mischelp.h"
|
|
#include "../common/strlist.h"
|
|
|
|
#include "../common/i18n.h"
|
|
#include "../common/util.h"
|
|
#include "../common/init.h"
|
|
|
|
/* There is no need for the npth_unprotect and leave functions here;
|
|
* thus we redefine them to nops. We keep them in the code just for
|
|
* the case we ever want to reuse parts of the code in npth programs. */
|
|
static void npth_unprotect (void) { }
|
|
static void npth_protect (void) { }
|
|
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
|
typedef LDAP_TIMEVAL my_ldap_timeval_t;
|
|
#else
|
|
typedef struct timeval my_ldap_timeval_t;
|
|
#endif
|
|
|
|
#define DEFAULT_LDAP_TIMEOUT 15 /* Arbitrary long timeout. */
|
|
|
|
|
|
/* Constants for the options. */
|
|
enum
|
|
{
|
|
oQuiet = 'q',
|
|
oVerbose = 'v',
|
|
|
|
oTimeout = 500,
|
|
oMulti,
|
|
oProxy,
|
|
oHost,
|
|
oPort,
|
|
oUser,
|
|
oPass,
|
|
oEnvPass,
|
|
oDN,
|
|
oFilter,
|
|
oAttr,
|
|
oTls,
|
|
|
|
oOnlySearchTimeout,
|
|
oLogWithPID
|
|
};
|
|
|
|
|
|
/* The list of options as used by the argparse.c code. */
|
|
static gpgrt_opt_t opts[] = {
|
|
{ oVerbose, "verbose", 0, N_("verbose") },
|
|
{ oQuiet, "quiet", 0, N_("be somewhat more quiet") },
|
|
{ oTimeout, "timeout", 1, N_("|N|set LDAP timeout to N seconds")},
|
|
{ oMulti, "multi", 0, N_("return all values in"
|
|
" a record oriented format")},
|
|
{ oProxy, "proxy", 2,
|
|
N_("|NAME|ignore host part and connect through NAME")},
|
|
{ oTls, "tls", 0, N_("force a TLS connection")},
|
|
{ oHost, "host", 2, N_("|NAME|connect to host NAME")},
|
|
{ oPort, "port", 1, N_("|N|connect to port N")},
|
|
{ oUser, "user", 2, N_("|NAME|use user NAME for authentication")},
|
|
{ oPass, "pass", 2, N_("|PASS|use password PASS"
|
|
" for authentication")},
|
|
{ oEnvPass, "env-pass", 0, N_("take password from $DIRMNGR_LDAP_PASS")},
|
|
{ oDN, "dn", 2, N_("|STRING|query DN STRING")},
|
|
{ oFilter, "filter", 2, N_("|STRING|use STRING as filter expression")},
|
|
{ oAttr, "attr", 2, N_("|STRING|return the attribute STRING")},
|
|
{ oOnlySearchTimeout, "only-search-timeout", 0, "@"},
|
|
{ oLogWithPID,"log-with-pid", 0, "@"},
|
|
ARGPARSE_end ()
|
|
};
|
|
|
|
|
|
/* A structure with module options. This is not a static variable
|
|
because if we are not build as a standalone binary, each thread
|
|
using this module needs to handle its own values. */
|
|
struct my_opt_s
|
|
{
|
|
int quiet;
|
|
int verbose;
|
|
my_ldap_timeval_t timeout;/* Timeout for the LDAP search functions. */
|
|
unsigned int alarm_timeout; /* And for the alarm based timeout. */
|
|
int multi;
|
|
int force_tls;
|
|
|
|
estream_t outstream; /* Send output to this stream. */
|
|
|
|
/* Note that we can't use const for the strings because ldap_* are
|
|
not defined that way. */
|
|
char *proxy; /* Host and Port override. */
|
|
char *user; /* Authentication user. */
|
|
char *pass; /* Authentication password. */
|
|
char *host; /* Override host. */
|
|
int port; /* Override port. */
|
|
char *dn; /* Override DN. */
|
|
char *filter;/* Override filter. */
|
|
char *attr; /* Override attribute. */
|
|
};
|
|
typedef struct my_opt_s *my_opt_t;
|
|
|
|
|
|
/* Prototypes. */
|
|
#ifndef HAVE_W32_SYSTEM
|
|
static void catch_alarm (int dummy);
|
|
#endif
|
|
static int process_url (my_opt_t myopt, const char *url);
|
|
|
|
|
|
|
|
/* Function called by argparse.c to display information. */
|
|
static const char *
|
|
my_strusage (int level)
|
|
{
|
|
const char *p;
|
|
|
|
switch (level)
|
|
{
|
|
case 9: p = "GPL-3.0-or-later"; break;
|
|
case 11: p = "dirmngr_ldap (@GNUPG@)";
|
|
break;
|
|
case 13: p = VERSION; break;
|
|
case 14: p = GNUPG_DEF_COPYRIGHT_LINE; break;
|
|
case 17: p = PRINTABLE_OS_NAME; break;
|
|
case 19: p = _("Please report bugs to <@EMAIL@>.\n"); break;
|
|
case 49: p = PACKAGE_BUGREPORT; break;
|
|
case 1:
|
|
case 40: p =
|
|
_("Usage: dirmngr_ldap [options] [URL] (-h for help)\n");
|
|
break;
|
|
case 41: p =
|
|
_("Syntax: dirmngr_ldap [options] [URL]\n"
|
|
"Internal LDAP helper for Dirmngr\n"
|
|
"Interface and options may change without notice\n");
|
|
break;
|
|
|
|
default: p = NULL;
|
|
}
|
|
return p;
|
|
}
|
|
|
|
|
|
int
|
|
main (int argc, char **argv)
|
|
{
|
|
gpgrt_argparse_t pargs;
|
|
int any_err = 0;
|
|
char *p;
|
|
int only_search_timeout = 0;
|
|
struct my_opt_s my_opt_buffer;
|
|
my_opt_t myopt = &my_opt_buffer;
|
|
char *malloced_buffer1 = NULL;
|
|
|
|
memset (&my_opt_buffer, 0, sizeof my_opt_buffer);
|
|
|
|
early_system_init ();
|
|
|
|
gpgrt_set_strusage (my_strusage);
|
|
log_set_prefix ("dirmngr_ldap", GPGRT_LOG_WITH_PREFIX);
|
|
|
|
/* Setup I18N and common subsystems. */
|
|
i18n_init();
|
|
|
|
init_common_subsystems (&argc, &argv);
|
|
|
|
es_set_binary (es_stdout);
|
|
myopt->outstream = es_stdout;
|
|
|
|
/* LDAP defaults */
|
|
myopt->timeout.tv_sec = DEFAULT_LDAP_TIMEOUT;
|
|
myopt->timeout.tv_usec = 0;
|
|
myopt->alarm_timeout = 0;
|
|
|
|
/* Parse the command line. */
|
|
pargs.argc = &argc;
|
|
pargs.argv = &argv;
|
|
pargs.flags= ARGPARSE_FLAG_KEEP;
|
|
while (gpgrt_argparse (NULL, &pargs, opts))
|
|
{
|
|
switch (pargs.r_opt)
|
|
{
|
|
case oVerbose: myopt->verbose++; break;
|
|
case oQuiet: myopt->quiet++; break;
|
|
case oTimeout:
|
|
myopt->timeout.tv_sec = pargs.r.ret_int;
|
|
myopt->timeout.tv_usec = 0;
|
|
myopt->alarm_timeout = pargs.r.ret_int;
|
|
break;
|
|
case oOnlySearchTimeout: only_search_timeout = 1; break;
|
|
case oMulti: myopt->multi = 1; break;
|
|
case oUser: myopt->user = pargs.r.ret_str; break;
|
|
case oPass: myopt->pass = pargs.r.ret_str; break;
|
|
case oEnvPass:
|
|
myopt->pass = getenv ("DIRMNGR_LDAP_PASS");
|
|
break;
|
|
case oProxy: myopt->proxy = pargs.r.ret_str; break;
|
|
case oTls: myopt->force_tls = 1; break;
|
|
case oHost: myopt->host = pargs.r.ret_str; break;
|
|
case oPort: myopt->port = pargs.r.ret_int; break;
|
|
case oDN: myopt->dn = pargs.r.ret_str; break;
|
|
case oFilter: myopt->filter = pargs.r.ret_str; break;
|
|
case oAttr: myopt->attr = pargs.r.ret_str; break;
|
|
case oLogWithPID:
|
|
{
|
|
unsigned int oldflags;
|
|
log_get_prefix (&oldflags);
|
|
log_set_prefix (NULL, oldflags | GPGRT_LOG_WITH_PID);
|
|
}
|
|
break;
|
|
|
|
default :
|
|
pargs.err = ARGPARSE_PRINT_ERROR;
|
|
break;
|
|
}
|
|
}
|
|
gpgrt_argparse (NULL, &pargs, NULL);
|
|
|
|
if (only_search_timeout)
|
|
myopt->alarm_timeout = 0;
|
|
|
|
if (myopt->proxy)
|
|
{
|
|
malloced_buffer1 = xtrystrdup (myopt->proxy);
|
|
if (!malloced_buffer1)
|
|
{
|
|
log_error ("error copying string: %s\n", strerror (errno));
|
|
return 1;
|
|
}
|
|
myopt->host = malloced_buffer1;
|
|
p = strchr (myopt->host, ':');
|
|
if (p)
|
|
{
|
|
*p++ = 0;
|
|
myopt->port = atoi (p);
|
|
}
|
|
if (!myopt->port)
|
|
myopt->port = 389; /* make sure ports gets overridden. */
|
|
}
|
|
|
|
if (myopt->port < 0 || myopt->port > 65535)
|
|
log_error (_("invalid port number %d\n"), myopt->port);
|
|
|
|
if (log_get_errorcount (0))
|
|
exit (2);
|
|
if (argc < 1)
|
|
gpgrt_usage (1);
|
|
|
|
if (myopt->alarm_timeout)
|
|
{
|
|
#ifndef HAVE_W32_SYSTEM
|
|
# if defined(HAVE_SIGACTION) && defined(HAVE_STRUCT_SIGACTION)
|
|
struct sigaction act;
|
|
|
|
act.sa_handler = catch_alarm;
|
|
sigemptyset (&act.sa_mask);
|
|
act.sa_flags = 0;
|
|
if (sigaction (SIGALRM,&act,NULL))
|
|
# else
|
|
if (signal (SIGALRM, catch_alarm) == SIG_ERR)
|
|
# endif
|
|
log_fatal ("unable to register timeout handler\n");
|
|
#endif
|
|
}
|
|
|
|
for (; argc; argc--, argv++)
|
|
if (process_url (myopt, *argv))
|
|
any_err = 1;
|
|
|
|
xfree (malloced_buffer1);
|
|
return any_err;
|
|
}
|
|
|
|
#ifndef HAVE_W32_SYSTEM
|
|
static void
|
|
catch_alarm (int dummy)
|
|
{
|
|
(void)dummy;
|
|
_exit (10);
|
|
}
|
|
#endif
|
|
|
|
|
|
#ifdef HAVE_W32_SYSTEM
|
|
static DWORD CALLBACK
|
|
alarm_thread (void *arg)
|
|
{
|
|
HANDLE timer = arg;
|
|
|
|
WaitForSingleObject (timer, INFINITE);
|
|
_exit (10);
|
|
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
|
|
static void
|
|
set_timeout (my_opt_t myopt)
|
|
{
|
|
if (myopt->alarm_timeout)
|
|
{
|
|
#ifdef HAVE_W32_SYSTEM
|
|
static HANDLE timer;
|
|
LARGE_INTEGER due_time;
|
|
|
|
/* A negative value is a relative time. */
|
|
due_time.QuadPart = (unsigned long long)-10000000 * myopt->alarm_timeout;
|
|
|
|
if (!timer)
|
|
{
|
|
SECURITY_ATTRIBUTES sec_attr;
|
|
DWORD tid;
|
|
|
|
memset (&sec_attr, 0, sizeof sec_attr);
|
|
sec_attr.nLength = sizeof sec_attr;
|
|
sec_attr.bInheritHandle = FALSE;
|
|
|
|
/* Create a manual resettable timer. */
|
|
timer = CreateWaitableTimer (NULL, TRUE, NULL);
|
|
/* Initially set the timer. */
|
|
SetWaitableTimer (timer, &due_time, 0, NULL, NULL, 0);
|
|
|
|
if (CreateThread (&sec_attr, 0, alarm_thread, timer, 0, &tid))
|
|
log_error ("failed to create alarm thread\n");
|
|
}
|
|
else /* Retrigger the timer. */
|
|
SetWaitableTimer (timer, &due_time, 0, NULL, NULL, 0);
|
|
#else
|
|
alarm (myopt->alarm_timeout);
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
/* Helper for fetch_ldap(). */
|
|
static int
|
|
print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
|
|
{
|
|
LDAPMessage *item;
|
|
int any = 0;
|
|
|
|
for (npth_unprotect (), item = ldap_first_entry (ld, msg), npth_protect ();
|
|
item;
|
|
npth_unprotect (), item = ldap_next_entry (ld, item), npth_protect ())
|
|
{
|
|
BerElement *berctx;
|
|
char *attr;
|
|
|
|
if (myopt->verbose > 1)
|
|
log_info (_("scanning result for attribute '%s'\n"),
|
|
want_attr? want_attr : "[all]");
|
|
|
|
if (myopt->multi)
|
|
{ /* Write item marker. */
|
|
if (es_fwrite ("I\0\0\0\0", 5, 1, myopt->outstream) != 1)
|
|
{
|
|
log_error (_("error writing to stdout: %s\n"),
|
|
strerror (errno));
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
|
|
for (npth_unprotect (), attr = ldap_first_attribute (ld, item, &berctx),
|
|
npth_protect ();
|
|
attr;
|
|
npth_unprotect (), attr = ldap_next_attribute (ld, item, berctx),
|
|
npth_protect ())
|
|
{
|
|
struct berval **values;
|
|
int idx;
|
|
|
|
if (myopt->verbose > 1)
|
|
log_info (_(" available attribute '%s'\n"), attr);
|
|
|
|
set_timeout (myopt);
|
|
|
|
/* I case we want only one attribute we do a case
|
|
insensitive compare without the optional extension
|
|
(i.e. ";binary"). Case insensitive is not really correct
|
|
but the best we can do. */
|
|
if (want_attr)
|
|
{
|
|
char *cp1, *cp2;
|
|
int cmpres;
|
|
|
|
cp1 = strchr (want_attr, ';');
|
|
if (cp1)
|
|
*cp1 = 0;
|
|
cp2 = strchr (attr, ';');
|
|
if (cp2)
|
|
*cp2 = 0;
|
|
cmpres = ascii_strcasecmp (want_attr, attr);
|
|
if (cp1)
|
|
*cp1 = ';';
|
|
if (cp2)
|
|
*cp2 = ';';
|
|
if (cmpres)
|
|
{
|
|
ldap_memfree (attr);
|
|
continue; /* Not found: Try next attribute. */
|
|
}
|
|
}
|
|
|
|
npth_unprotect ();
|
|
values = ldap_get_values_len (ld, item, attr);
|
|
npth_protect ();
|
|
|
|
if (!values)
|
|
{
|
|
if (myopt->verbose)
|
|
log_info (_("attribute '%s' not found\n"), attr);
|
|
ldap_memfree (attr);
|
|
continue;
|
|
}
|
|
|
|
if (myopt->verbose)
|
|
{
|
|
log_info (_("found attribute '%s'\n"), attr);
|
|
if (myopt->verbose > 1)
|
|
for (idx=0; values[idx]; idx++)
|
|
log_info (" length[%d]=%d\n",
|
|
idx, (int)values[0]->bv_len);
|
|
|
|
}
|
|
|
|
if (myopt->multi)
|
|
{ /* Write attribute marker. */
|
|
unsigned char tmp[5];
|
|
size_t n = strlen (attr);
|
|
|
|
tmp[0] = 'A';
|
|
tmp[1] = (n >> 24);
|
|
tmp[2] = (n >> 16);
|
|
tmp[3] = (n >> 8);
|
|
tmp[4] = (n);
|
|
if (es_fwrite (tmp, 5, 1, myopt->outstream) != 1
|
|
|| es_fwrite (attr, n, 1, myopt->outstream) != 1)
|
|
{
|
|
log_error (_("error writing to stdout: %s\n"),
|
|
strerror (errno));
|
|
ldap_value_free_len (values);
|
|
ldap_memfree (attr);
|
|
ber_free (berctx, 0);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
for (idx=0; values[idx]; idx++)
|
|
{
|
|
if (myopt->multi)
|
|
{ /* Write value marker. */
|
|
unsigned char tmp[5];
|
|
size_t n = values[0]->bv_len;
|
|
|
|
tmp[0] = 'V';
|
|
tmp[1] = (n >> 24);
|
|
tmp[2] = (n >> 16);
|
|
tmp[3] = (n >> 8);
|
|
tmp[4] = (n);
|
|
|
|
if (es_fwrite (tmp, 5, 1, myopt->outstream) != 1)
|
|
{
|
|
log_error (_("error writing to stdout: %s\n"),
|
|
strerror (errno));
|
|
ldap_value_free_len (values);
|
|
ldap_memfree (attr);
|
|
ber_free (berctx, 0);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (es_fwrite (values[0]->bv_val, values[0]->bv_len,
|
|
1, myopt->outstream) != 1)
|
|
{
|
|
log_error (_("error writing to stdout: %s\n"),
|
|
strerror (errno));
|
|
ldap_value_free_len (values);
|
|
ldap_memfree (attr);
|
|
ber_free (berctx, 0);
|
|
return -1;
|
|
}
|
|
|
|
any = 1;
|
|
if (!myopt->multi)
|
|
break; /* Print only the first value. */
|
|
}
|
|
ldap_value_free_len (values);
|
|
ldap_memfree (attr);
|
|
if (want_attr || !myopt->multi)
|
|
break; /* We only want to return the first attribute. */
|
|
}
|
|
ber_free (berctx, 0);
|
|
}
|
|
|
|
if (myopt->verbose > 1 && any)
|
|
log_info ("result has been printed\n");
|
|
|
|
return any?0:-1;
|
|
}
|
|
|
|
|
|
|
|
/* Helper for the URL based LDAP query. */
|
|
static int
|
|
fetch_ldap (my_opt_t myopt, const char *url, const LDAPURLDesc *ludp)
|
|
{
|
|
LDAP *ld;
|
|
LDAPMessage *msg;
|
|
int rc = 0;
|
|
char *host, *dn, *filter, *attrs[2], *attr;
|
|
int port;
|
|
int ret;
|
|
int usetls;
|
|
|
|
host = myopt->host? myopt->host : ludp->lud_host;
|
|
port = myopt->port? myopt->port : ludp->lud_port;
|
|
dn = myopt->dn? myopt->dn : ludp->lud_dn;
|
|
filter = myopt->filter? myopt->filter : ludp->lud_filter;
|
|
attrs[0] = myopt->attr? myopt->attr : ludp->lud_attrs? ludp->lud_attrs[0]:NULL;
|
|
attrs[1] = NULL;
|
|
attr = attrs[0];
|
|
|
|
if (!port && myopt->force_tls)
|
|
port = 636;
|
|
else if (!port)
|
|
port = (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps"))? 636:389;
|
|
|
|
if (myopt->verbose)
|
|
{
|
|
log_info (_("processing url '%s'\n"), url);
|
|
if (myopt->force_tls)
|
|
log_info ("forcing tls\n");
|
|
else
|
|
log_info ("not forcing tls\n");
|
|
|
|
if (myopt->user)
|
|
log_info (_(" user '%s'\n"), myopt->user);
|
|
if (myopt->pass)
|
|
log_info (_(" pass '%s'\n"), *myopt->pass?"*****":"");
|
|
if (host)
|
|
log_info (_(" host '%s'\n"), host);
|
|
log_info (_(" port %d\n"), port);
|
|
if (dn)
|
|
log_info (_(" DN '%s'\n"), dn);
|
|
if (filter)
|
|
log_info (_(" filter '%s'\n"), filter);
|
|
if (myopt->multi && !myopt->attr && ludp->lud_attrs)
|
|
{
|
|
int i;
|
|
for (i=0; ludp->lud_attrs[i]; i++)
|
|
log_info (_(" attr '%s'\n"), ludp->lud_attrs[i]);
|
|
}
|
|
else if (attr)
|
|
log_info (_(" attr '%s'\n"), attr);
|
|
}
|
|
|
|
|
|
if (!host || !*host)
|
|
{
|
|
log_error (_("no host name in '%s'\n"), url);
|
|
return -1;
|
|
}
|
|
if (!myopt->multi && !attr)
|
|
{
|
|
log_error (_("no attribute given for query '%s'\n"), url);
|
|
return -1;
|
|
}
|
|
|
|
if (!myopt->multi && !myopt->attr
|
|
&& ludp->lud_attrs && ludp->lud_attrs[0] && ludp->lud_attrs[1])
|
|
log_info (_("WARNING: using first attribute only\n"));
|
|
|
|
set_timeout (myopt);
|
|
|
|
usetls = (myopt->force_tls
|
|
|| (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps")));
|
|
#if HAVE_W32_SYSTEM
|
|
if (1)
|
|
{
|
|
npth_unprotect ();
|
|
ld = ldap_sslinit (host, port, usetls);
|
|
npth_protect ();
|
|
if (!ld)
|
|
{
|
|
ret = LdapGetLastError ();
|
|
log_error (_("LDAP init to '%s:%d' failed: %s\n"),
|
|
host, port, ldap_err2string (ret));
|
|
return -1;
|
|
}
|
|
}
|
|
#else /*!W32*/
|
|
if (usetls)
|
|
{
|
|
char *uri;
|
|
|
|
uri = xtryasprintf ("ldaps://%s:%d", host, port);
|
|
if (!uri)
|
|
{
|
|
log_error (_("error allocating memory: %s\n"),
|
|
gpg_strerror (gpg_error_from_syserror ()));
|
|
return -1;
|
|
}
|
|
npth_unprotect ();
|
|
ret = ldap_initialize (&ld, uri);
|
|
npth_protect ();
|
|
if (ret)
|
|
{
|
|
log_error (_("LDAP init to '%s' failed: %s\n"),
|
|
uri, ldap_err2string (ret));
|
|
xfree (uri);
|
|
return -1;
|
|
}
|
|
else if (myopt->verbose)
|
|
log_info (_("LDAP init to '%s' done\n"), uri);
|
|
xfree (uri);
|
|
}
|
|
else
|
|
{
|
|
/* Keep the old way so to avoid regressions. Eventually we
|
|
* should really consider the supplied scheme and use only
|
|
* ldap_initialize. */
|
|
npth_unprotect ();
|
|
ld = ldap_init (host, port);
|
|
npth_protect ();
|
|
if (!ld)
|
|
{
|
|
log_error (_("LDAP init to '%s:%d' failed: %s\n"),
|
|
host, port, strerror (errno));
|
|
return -1;
|
|
}
|
|
}
|
|
#endif /*!W32*/
|
|
|
|
npth_unprotect ();
|
|
/* Fixme: Can we use MYOPT->user or is it shared with other theeads?. */
|
|
ret = ldap_simple_bind_s (ld, myopt->user, myopt->pass);
|
|
npth_protect ();
|
|
#ifdef LDAP_VERSION3
|
|
if (ret == LDAP_PROTOCOL_ERROR)
|
|
{
|
|
/* Protocol error could mean that the server only supports v3. */
|
|
int version = LDAP_VERSION3;
|
|
if (myopt->verbose)
|
|
log_info ("protocol error; retrying bind with v3 protocol\n");
|
|
npth_unprotect ();
|
|
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
|
|
ret = ldap_simple_bind_s (ld, myopt->user, myopt->pass);
|
|
npth_protect ();
|
|
}
|
|
#endif
|
|
if (ret)
|
|
{
|
|
log_error (_("binding to '%s:%d' failed: %s\n"),
|
|
host, port, ldap_err2string (ret));
|
|
ldap_unbind (ld);
|
|
return -1;
|
|
}
|
|
|
|
set_timeout (myopt);
|
|
npth_unprotect ();
|
|
rc = ldap_search_st (ld, dn, ludp->lud_scope, filter,
|
|
myopt->multi && !myopt->attr && ludp->lud_attrs?
|
|
ludp->lud_attrs:attrs,
|
|
0,
|
|
&myopt->timeout, &msg);
|
|
npth_protect ();
|
|
if (rc == LDAP_SIZELIMIT_EXCEEDED && myopt->multi)
|
|
{
|
|
if (es_fwrite ("E\0\0\0\x09truncated", 14, 1, myopt->outstream) != 1)
|
|
{
|
|
log_error (_("error writing to stdout: %s\n"), strerror (errno));
|
|
return -1;
|
|
}
|
|
}
|
|
else if (rc)
|
|
{
|
|
log_error (_("searching '%s' failed: %s\n"),
|
|
url, ldap_err2string (rc));
|
|
if (rc != LDAP_NO_SUCH_OBJECT)
|
|
{
|
|
/* FIXME: Need deinit (ld)? */
|
|
/* Hmmm: Do we need to released MSG in case of an error? */
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
rc = print_ldap_entries (myopt, ld, msg, myopt->multi? NULL:attr);
|
|
|
|
ldap_msgfree (msg);
|
|
ldap_unbind (ld);
|
|
return rc;
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Main processing. Take the URL and run the LDAP query. The result
|
|
is printed to stdout, errors are logged to the log stream. */
|
|
static int
|
|
process_url (my_opt_t myopt, const char *url)
|
|
{
|
|
int rc;
|
|
LDAPURLDesc *ludp = NULL;
|
|
|
|
|
|
if (!ldap_is_ldap_url (url))
|
|
{
|
|
log_error (_("'%s' is not an LDAP URL\n"), url);
|
|
return -1;
|
|
}
|
|
|
|
if (ldap_url_parse (url, &ludp))
|
|
{
|
|
log_error (_("'%s' is an invalid LDAP URL\n"), url);
|
|
return -1;
|
|
}
|
|
|
|
rc = fetch_ldap (myopt, url, ludp);
|
|
|
|
ldap_free_urldesc (ludp);
|
|
return rc;
|
|
}
|