LDAP + nnrpd

Keith Lewis keithl at mukluk.cc.monash.edu.au
Sun Nov 26 22:37:55 UTC 2000


-----BEGIN PGP SIGNED MESSAGE-----

RE:
> I would like to know if is posible to use LDAP to authenticate users in
> nnrpd instead using RADIUS.  If so, what changes I need to make.  I

	I'm sure there's a better way, but the following, written over a crate
of beer, has been working for me for years.

main.c
- ----------------------------------------------------------------------

/* pinched from pwcheck, pinched from cyrus imap */

#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/uio.h>

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <syslog.h>

#include "configdata.h"

#define STATEDIR	"/var"

extern int errno;

int main(int argc, char *argv[])
{
    extern int optind;
    extern char *optarg;
    int opt;
    char *ldapserver;
    char uname[SMBUF], pass[SMBUF];
    char buff[SMBUF];


    while ((opt = getopt(argc, argv, "s:")) != -1) {

	/* only allow one of the three possibilities */
	switch (opt) {
	  case 's':
	    ldapserver = optarg;
	    break;
	}
    }
    if (argc != optind)
	exit(2);

    uname[0] = '\0';
    pass[0] = '\0';
    /* get the username and password from stdin */
    while (fgets(buff, sizeof(buff), stdin) != (char*) 0) {
        /* strip '\r\n' */
        buff[strlen(buff)-1] = '\0';
        if (strlen(buff) && (buff[strlen(buff)-1] == '\r'))
            buff[strlen(buff)-1] = '\0';

#define NAMESTR "ClientAuthname: "
#define PASSSTR "ClientPassword: "
        if (!strncmp(buff, NAMESTR, strlen(NAMESTR)))
            strcpy(uname, buff+sizeof(NAMESTR)-1);
        if (!strncmp(buff, PASSSTR, strlen(PASSSTR)))
            strcpy(pass, buff+sizeof(PASSSTR)-1);
    }

    if (!uname[0] || !pass[0])
        exit(3);

    if(! ldap_pwd_ok(ldapserver, uname, pass)) {
      fprintf(stderr, "valid passwd\n");
      printf("User:%s\n", uname);
      exit(0);
    }
    exit(1);
}

ldap_pwd_ok.c
- ----------------------------------------------------------------------

#include <strings.h>
#include <errno.h>
#include <lber.h>
#include <ldap.h>

#include "ldapconfig.h"

int ldap_pwd_ok ( char *user, char *passwd) {
 char ldaphost[]="dirgod";
 LDAP *ld;
 LDAPMessage *res, *e;
 char filter[128];
 char *attrs[] = { "dn", 0 };
 char *dn;

 strcpy(filter,"(uid=");
 strcat(filter,user);
 strcat(filter,")");

 if (( ld = ldap_open( ldaphost,LDAP_PORT)) == NULL ) {
        perror( ldaphost );
        exit( 1 );
 }

/* printf( "doing an unauth bind\n"); */

 if ( ldap_simple_bind_s( ld, LDAPSEARCH_BINDDN,  LDAPSEARCH_BIND_CRED )
 != LDAP_SUCCESS ) {
/*        ldap_perror( ld, "ldap_bind" ); */
        return(0);
 }

/* printf( "searching for user \n"); */

 if ( ldap_search_s( ld,  LDAPSEARCH_BASE, LDAP_SCOPE_SUBTREE, 
                      filter, attrs, 0, &res)
    != LDAP_SUCCESS ) {
/*        ldap_perror( ld, "ldap_usearch" ); */
	return(0);
 }

/* printf("getting first entry\n"); */

 e = ldap_first_entry( ld, res );
 if ( e == (LDAPMessage *) 0 ) {
/*	ldap_perror( ld, "ldap_esearch" ); */
	return(0);
 }
/* printf("getting dn\n"); */

 dn = ldap_get_dn( ld, e);

/* printf("dn is\n%s\n",dn); */

 ldap_unbind(ld);

/* printf("unbinding\n"); */

 if (( ld = ldap_open( ldaphost,LDAP_PORT)) == NULL ) {
/*        perror( ldaphost ); */
	return(0);
 }

/* printf("doing it\n"); */

 if ( ldap_simple_bind_s( ld, dn,  passwd )
 != LDAP_SUCCESS ) {
/*	ldap_perror( ld, "ldap_fsearch" );
	printf("tough luck\n"); */
	return(0);
 }
 return(1);
}

- ----------------------------------------------------------------------

just compile and link the above with an LDAP library and put the resulting
binary in /usr/news/bin/auth calling it ldapcheck .

then add a line like
auth: "ldapcheck -s <ldapserver>"
to readers.conf

(prelace <ldapserver> with the name of your ldap server).
- ----------------------------------------------------------------------

	Hope this makes sense.

Keith

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOiGQw3EpE0nRVDfpAQGyLwP9Es1z4X8B9XJOOd5yY9VkAdgUog+Ma3Lt
tXKxQLM0gi1/XjFlcvwACG+/bc2Pn27UCiklRfgCNg036p7KFtkOq7rnIUfld0bk
SK1zNW/44s1RasFP1p9Jg7Sn5NMwDAWIPJ1e4gNyZn9Rio/FwaF2ryDNmqQB2reJ
9TGSHyklLQ8=
=CwvO
-----END PGP SIGNATURE-----



More information about the inn-workers mailing list