From b1099e8edcda1ab658eaac424bd2e09d6e7cbabd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Luttringer?= Date: Sun, 9 Oct 2016 01:53:36 +0200 Subject: [PATCH] Revert "rgw ldap: fix ldap bindpw parsing" This reverts commit fe57aceeb02ad9163feb2d196589b5927cedfa0f. --- src/rgw/librgw.cc | 6 ++-- src/rgw/rgw_ldap.cc | 35 --------------------- src/rgw/rgw_ldap.h | 54 ++++++++------------------------- src/rgw/rgw_rest_s3.cc | 77 +++++++++++------------------------------------ src/test/test_rgw_ldap.cc | 4 +-- 5 files changed, 34 insertions(+), 142 deletions(-) diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index c476129..37414fc 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -52,7 +52,6 @@ #include #include - #define dout_subsys ceph_subsys_rgw bool global_stop = false; @@ -470,10 +469,9 @@ namespace rgw { const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn; const string& ldap_dnattr = store->ctx()->_conf->rgw_ldap_dnattr; - std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx()); - ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw.c_str(), - ldap_searchdn, ldap_dnattr); + ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn, + ldap_dnattr); ldh->init(); ldh->bind(); diff --git a/src/rgw/rgw_ldap.cc b/src/rgw/rgw_ldap.cc index 6cca3b8..ac420e3 100644 --- a/src/rgw/rgw_ldap.cc +++ b/src/rgw/rgw_ldap.cc @@ -2,38 +2,3 @@ // vim: ts=8 sw=2 smarttab #include "rgw_ldap.h" - -#include "common/ceph_context.h" -#include "common/common_init.h" -#include "common/dout.h" -#include "common/safe_io.h" -#include - -#include "include/assert.h" - -#define dout_subsys ceph_subsys_rgw - -std::string parse_rgw_ldap_bindpw(CephContext* ctx) -{ - string ldap_bindpw; - string ldap_secret = ctx->_conf->rgw_ldap_secret; - - if (ldap_secret.empty()) { - ldout(ctx, 10) - << __func__ << " LDAP auth no rgw_ldap_secret file found in conf" - << dendl; - } else { - char bindpw[1024]; - memset(bindpw, 0, 1024); - int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(), - bindpw, 1023); - if (pwlen) { - ldap_bindpw = bindpw; - boost::algorithm::trim(ldap_bindpw); - if (ldap_bindpw.back() == '\n') - ldap_bindpw.pop_back(); - } - } - - return std::move(ldap_bindpw); -} diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h index b29e33ad..02eb61e 100644 --- a/src/rgw/rgw_ldap.h +++ b/src/rgw/rgw_ldap.h @@ -23,38 +23,27 @@ namespace rgw { { std::string uri; std::string binddn; - std::string bindpw; std::string searchdn; std::string dnattr; LDAP *ldap; - bool msad = false; /* TODO: possible future specialization */ public: - LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw, - std::string _searchdn, std::string _dnattr) - : uri(std::move(_uri)), binddn(std::move(_binddn)), - bindpw(std::move(_bindpw)), searchdn(_searchdn), dnattr(_dnattr), - ldap(nullptr) { + LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn, + std::string _dnattr) + : uri(std::move(_uri)), binddn(std::move(_binddn)), searchdn(_searchdn), + dnattr(_dnattr), ldap(nullptr) { // nothing } int init() { int ret; ret = ldap_initialize(&ldap, uri.c_str()); - if (ret == LDAP_SUCCESS) { - unsigned long ldap_ver = LDAP_VERSION3; - ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, - (void*) &ldap_ver); - } - if (ret == LDAP_SUCCESS) { - ret = ldap_set_option(ldap, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - } return (ret == LDAP_SUCCESS) ? ret : -EINVAL; } int bind() { int ret; - ret = ldap_simple_bind_s(ldap, binddn.c_str(), bindpw.c_str()); + ret = ldap_simple_bind_s(ldap, nullptr, nullptr); return (ret == LDAP_SUCCESS) ? ret : -EINVAL; } @@ -71,18 +60,11 @@ namespace rgw { int auth(const std::string uid, const std::string pwd) { int ret; std::string filter; - if (msad) { - filter = "(&(objectClass=user)(sAMAccountName="; - filter += uid; - filter += "))"; - } else { - /* openldap */ - filter = "("; - filter += dnattr; - filter += "="; - filter += uid; - filter += ")"; - } + filter = "("; + filter += dnattr; + filter += "="; + filter += uid; + filter += ")"; char *attrs[] = { const_cast(dnattr.c_str()), nullptr }; LDAPMessage *answer = nullptr, *entry = nullptr; ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE, @@ -113,8 +95,8 @@ namespace rgw { class LDAPHelper { public: - LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw, - std::string _searchdn, std::string _dnattr) + LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn, + std::string _dnattr) {} int init() { @@ -135,17 +117,7 @@ namespace rgw { #endif /* HAVE_OPENLDAP */ - -} /* namespace rgw */ - -#include "common/ceph_context.h" -#include "common/common_init.h" -#include "common/dout.h" -#include "common/safe_io.h" -#include -#include "include/assert.h" - -std::string parse_rgw_ldap_bindpw(CephContext* ctx); +} /* namespace rgw */ #endif /* RGW_LDAP_H */ diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index e9f24f3..bd952db 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -8,8 +8,6 @@ #include "common/Formatter.h" #include "common/utf8.h" #include "common/ceph_json.h" -#include "common/safe_io.h" -#include #include "rgw_rest.h" #include "rgw_rest_s3.h" @@ -1747,32 +1745,10 @@ int RGWPostObj_ObjStore_S3::get_policy() s->perm_mask = RGW_PERM_FULL_CONTROL; } } else if (store->ctx()->_conf->rgw_s3_auth_use_ldap && - (! store->ctx()->_conf->rgw_ldap_uri.empty())) { - - ldout(store->ctx(), 15) - << __func__ << " LDAP auth uri=" - << store->ctx()->_conf->rgw_ldap_uri - << dendl; - + store->ctx()->_conf->rgw_ldap_uri.empty()) { RGWToken token{from_base64(s3_access_key)}; - if (! token.valid()) - return -EACCES; - rgw::LDAPHelper *ldh = RGW_Auth_S3::get_ldap_ctx(store); - if (unlikely(!ldh)) { - ldout(store->ctx(), 0) - << __func__ << " RGW_Auth_S3::get_ldap_ctx() failed" - << dendl; - return -EACCES; - } - - ldout(store->ctx(), 10) - << __func__ << " try LDAP auth uri=" - << store->ctx()->_conf->rgw_ldap_uri - << " token.id=" << token.id - << dendl; - - if (ldh->auth(token.id, token.key) != 0) + if ((! token.valid()) || ldh->auth(token.id, token.key) != 0) return -EACCES; /* ok, succeeded */ @@ -3091,10 +3067,9 @@ void RGW_Auth_S3::init_impl(RGWRados* store) const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn; const string& ldap_dnattr = store->ctx()->_conf->rgw_ldap_dnattr; - std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx()); - ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw, - ldap_searchdn, ldap_dnattr); + ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn, + ldap_dnattr); ldh->init(); ldh->bind(); @@ -3935,45 +3910,29 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s) RGW_Auth_S3::init(store); - ldout(store->ctx(), 15) - << __func__ << " LDAP auth uri=" - << store->ctx()->_conf->rgw_ldap_uri - << dendl; - RGWToken token{from_base64(auth_id)}; - - if (! token.valid()) + if ((! token.valid()) || ldh->auth(token.id, token.key) != 0) external_auth_result = -EACCES; else { - ldout(store->ctx(), 10) - << __func__ << " try LDAP auth uri=" - << store->ctx()->_conf->rgw_ldap_uri - << " token.id=" << token.id - << dendl; - - if (ldh->auth(token.id, token.key) != 0) - external_auth_result = -EACCES; - else { - /* ok, succeeded */ - external_auth_result = 0; + /* ok, succeeded */ + external_auth_result = 0; - /* create local account, if none exists */ - s->user->user_id = token.id; - s->user->display_name = token.id; // cn? - int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user)); + /* create local account, if none exists */ + s->user->user_id = token.id; + s->user->display_name = token.id; // cn? + int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user)); + if (ret < 0) { + ret = rgw_store_user_info(store, *(s->user), nullptr, nullptr, + real_time(), true); if (ret < 0) { - ret = rgw_store_user_info(store, *(s->user), nullptr, nullptr, - real_time(), true); - if (ret < 0) { - dout(10) << "NOTICE: failed to store new user's info: ret=" << ret - << dendl; - } + dout(10) << "NOTICE: failed to store new user's info: ret=" << ret + << dendl; } + } /* set request perms */ s->perm_mask = RGW_PERM_FULL_CONTROL; - } /* success */ - } /* token */ + } /* success */ } /* ldap */ /* keystone failed (or not enabled); check if we want to use rados backend */ -- 2.10.0