Created
June 10, 2014 06:57
-
-
Save iley/f02ee9eed84505de9478 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp | |
| index 5b3f1e7..a7829c7 100644 | |
| --- a/src/modules/extra/m_ldapauth.cpp | |
| +++ b/src/modules/extra/m_ldapauth.cpp | |
| @@ -104,6 +104,7 @@ class ModuleLDAPAuth : public Module | |
| std::string username; | |
| std::string password; | |
| std::string vhost; | |
| + std::string group; | |
| std::vector<std::string> whitelistedcidrs; | |
| std::vector<std::pair<std::string, std::string> > requiredattributes; | |
| int searchscope; | |
| @@ -151,6 +152,7 @@ public: | |
| vhost = tag->getString("host"); | |
| verbose = tag->getBool("verbose"); /* Set to true if failed connects should be reported to operators */ | |
| useusername = tag->getBool("userfield"); | |
| + group = tag->getString("group"); | |
| ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist"); | |
| @@ -309,8 +311,10 @@ public: | |
| } | |
| } | |
| + std::string ldapuser = (useusername ? user->ident : user->nick); | |
| + | |
| RAIILDAPMessage msg; | |
| - std::string what = (attribute + "=" + (useusername ? user->ident : user->nick)); | |
| + std::string what = (attribute + "=" + ldapuser); | |
| if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS) | |
| { | |
| // Do a second search, based on password, if it contains a : | |
| @@ -417,6 +421,34 @@ public: | |
| ldapVhost.set(user, SafeReplace(vhost, dnParts)); | |
| } | |
| + if (!group.empty()) | |
| + { | |
| + RAIILDAPMessage group_msg; | |
| + std::string filter = "(&(" + group + ")(memberUid=" + ldapuser + "))"; | |
| + | |
| + res = ldap_search_ext_s(conn, base.c_str(), searchscope, filter.c_str(), NULL, 0, NULL, NULL, NULL, 0, &group_msg); | |
| + if (res != LDAP_SUCCESS) | |
| + { | |
| + if (verbose) | |
| + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search failed: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); | |
| + return false; | |
| + } | |
| + | |
| + if (ldap_count_entries(conn, group_msg) > 1) | |
| + { | |
| + if (verbose) | |
| + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned more than one result: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); | |
| + return false; | |
| + } | |
| + | |
| + if (ldap_first_entry(conn, group_msg) == NULL) | |
| + { | |
| + if (verbose) | |
| + ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); | |
| + return false; | |
| + } | |
| + } | |
| + | |
| ldapAuthed.set(user,1); | |
| return true; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment