LDAP + nnrpd
Keith Lewis
keithl at mukluk.cc.monash.edu.au
Sun Nov 26 22:37:55 UTC 2000
-----BEGIN PGP SIGNED MESSAGE-----
RE:
> I would like to know if is posible to use LDAP to authenticate users in
> nnrpd instead using RADIUS. If so, what changes I need to make. I
I'm sure there's a better way, but the following, written over a crate
of beer, has been working for me for years.
main.c
- ----------------------------------------------------------------------
/* pinched from pwcheck, pinched from cyrus imap */
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/uio.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <syslog.h>
#include "configdata.h"
#define STATEDIR "/var"
extern int errno;
int main(int argc, char *argv[])
{
extern int optind;
extern char *optarg;
int opt;
char *ldapserver;
char uname[SMBUF], pass[SMBUF];
char buff[SMBUF];
while ((opt = getopt(argc, argv, "s:")) != -1) {
/* only allow one of the three possibilities */
switch (opt) {
case 's':
ldapserver = optarg;
break;
}
}
if (argc != optind)
exit(2);
uname[0] = '\0';
pass[0] = '\0';
/* get the username and password from stdin */
while (fgets(buff, sizeof(buff), stdin) != (char*) 0) {
/* strip '\r\n' */
buff[strlen(buff)-1] = '\0';
if (strlen(buff) && (buff[strlen(buff)-1] == '\r'))
buff[strlen(buff)-1] = '\0';
#define NAMESTR "ClientAuthname: "
#define PASSSTR "ClientPassword: "
if (!strncmp(buff, NAMESTR, strlen(NAMESTR)))
strcpy(uname, buff+sizeof(NAMESTR)-1);
if (!strncmp(buff, PASSSTR, strlen(PASSSTR)))
strcpy(pass, buff+sizeof(PASSSTR)-1);
}
if (!uname[0] || !pass[0])
exit(3);
if(! ldap_pwd_ok(ldapserver, uname, pass)) {
fprintf(stderr, "valid passwd\n");
printf("User:%s\n", uname);
exit(0);
}
exit(1);
}
ldap_pwd_ok.c
- ----------------------------------------------------------------------
#include <strings.h>
#include <errno.h>
#include <lber.h>
#include <ldap.h>
#include "ldapconfig.h"
int ldap_pwd_ok ( char *user, char *passwd) {
char ldaphost[]="dirgod";
LDAP *ld;
LDAPMessage *res, *e;
char filter[128];
char *attrs[] = { "dn", 0 };
char *dn;
strcpy(filter,"(uid=");
strcat(filter,user);
strcat(filter,")");
if (( ld = ldap_open( ldaphost,LDAP_PORT)) == NULL ) {
perror( ldaphost );
exit( 1 );
}
/* printf( "doing an unauth bind\n"); */
if ( ldap_simple_bind_s( ld, LDAPSEARCH_BINDDN, LDAPSEARCH_BIND_CRED )
!= LDAP_SUCCESS ) {
/* ldap_perror( ld, "ldap_bind" ); */
return(0);
}
/* printf( "searching for user \n"); */
if ( ldap_search_s( ld, LDAPSEARCH_BASE, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, &res)
!= LDAP_SUCCESS ) {
/* ldap_perror( ld, "ldap_usearch" ); */
return(0);
}
/* printf("getting first entry\n"); */
e = ldap_first_entry( ld, res );
if ( e == (LDAPMessage *) 0 ) {
/* ldap_perror( ld, "ldap_esearch" ); */
return(0);
}
/* printf("getting dn\n"); */
dn = ldap_get_dn( ld, e);
/* printf("dn is\n%s\n",dn); */
ldap_unbind(ld);
/* printf("unbinding\n"); */
if (( ld = ldap_open( ldaphost,LDAP_PORT)) == NULL ) {
/* perror( ldaphost ); */
return(0);
}
/* printf("doing it\n"); */
if ( ldap_simple_bind_s( ld, dn, passwd )
!= LDAP_SUCCESS ) {
/* ldap_perror( ld, "ldap_fsearch" );
printf("tough luck\n"); */
return(0);
}
return(1);
}
- ----------------------------------------------------------------------
just compile and link the above with an LDAP library and put the resulting
binary in /usr/news/bin/auth calling it ldapcheck .
then add a line like
auth: "ldapcheck -s <ldapserver>"
to readers.conf
(prelace <ldapserver> with the name of your ldap server).
- ----------------------------------------------------------------------
Hope this makes sense.
Keith
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOiGQw3EpE0nRVDfpAQGyLwP9Es1z4X8B9XJOOd5yY9VkAdgUog+Ma3Lt
tXKxQLM0gi1/XjFlcvwACG+/bc2Pn27UCiklRfgCNg036p7KFtkOq7rnIUfld0bk
SK1zNW/44s1RasFP1p9Jg7Sn5NMwDAWIPJ1e4gNyZn9Rio/FwaF2ryDNmqQB2reJ
9TGSHyklLQ8=
=CwvO
-----END PGP SIGNATURE-----
More information about the inn-workers
mailing list