iley · June 10, 2014 06:57
diff --git a/inspircd_ldap_group.patch b/inspircd_ldap_group.patch
 diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp
 index 5b3f1e7..a7829c7 100644
 --- a/src/modules/extra/m_ldapauth.cpp
 +++ b/src/modules/extra/m_ldapauth.cpp
 @@ -104,6 +104,7 @@ class ModuleLDAPAuth : public Module
 	std::string username;
 	std::string password;
 	std::string vhost;
 +	std::string group;
 	std::vector<std::string> whitelistedcidrs;
 	std::vector<std::pair<std::string, std::string> > requiredattributes;
 	int searchscope;
 @@ -151,6 +152,7 @@ public:
 		vhost			= tag->getString("host");
 		verbose			= tag->getBool("verbose");		/* Set to true if failed connects should be reported to operators */
 		useusername		= tag->getBool("userfield");
 +		group 			= tag->getString("group");
 
 		ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist");
 
 @@ -309,8 +311,10 @@ public:
 			}
 		}
 
 +		std::string ldapuser = (useusername ? user->ident : user->nick);
 +
 		RAIILDAPMessage msg;
 -		std::string what = (attribute + "=" + (useusername ? user->ident : user->nick));
 +		std::string what = (attribute + "=" + ldapuser);
 		if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS)
 		{
 			// Do a second search, based on password, if it contains a :
 @@ -417,6 +421,34 @@ public:
 			ldapVhost.set(user, SafeReplace(vhost, dnParts));
 		}
 
 +		if (!group.empty())
 +		{
 +			RAIILDAPMessage group_msg;
 +			std::string filter = "(&(" + group + ")(memberUid=" + ldapuser + "))";
 +
 +			res = ldap_search_ext_s(conn, base.c_str(), searchscope, filter.c_str(), NULL, 0, NULL, NULL, NULL, 0, &group_msg);
 +			if (res != LDAP_SUCCESS)
 +			{
 +				if (verbose)
 +					ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search failed: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
 +				return false;
 +			}
 +
 +			if (ldap_count_entries(conn, group_msg) > 1)
 +			{
 +				if (verbose)
 +					ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned more than one result: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
 +				return false;
 +			}
 +
 +			if (ldap_first_entry(conn, group_msg) == NULL)
 +			{
 +				if (verbose)
 +					ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
 +				return false;
 +			}
 +		}
 +
 		ldapAuthed.set(user,1);
 		return true;
 	}
	diff --git a/src/modules/extra/m_ldapauth.cpp b/src/modules/extra/m_ldapauth.cpp
	index 5b3f1e7..a7829c7 100644
	--- a/src/modules/extra/m_ldapauth.cpp
	+++ b/src/modules/extra/m_ldapauth.cpp
	@@ -104,6 +104,7 @@ class ModuleLDAPAuth : public Module
	std::string username;
	std::string password;
	std::string vhost;
	+ std::string group;
	std::vector<std::string> whitelistedcidrs;
	std::vector<std::pair<std::string, std::string> > requiredattributes;
	int searchscope;
	@@ -151,6 +152,7 @@ public:
	vhost = tag->getString("host");
	verbose = tag->getBool("verbose"); /* Set to true if failed connects should be reported to operators */
	useusername = tag->getBool("userfield");
	+ group = tag->getString("group");

	ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist");

	@@ -309,8 +311,10 @@ public:
	}
	}

	+ std::string ldapuser = (useusername ? user->ident : user->nick);
	+
	RAIILDAPMessage msg;
	- std::string what = (attribute + "=" + (useusername ? user->ident : user->nick));
	+ std::string what = (attribute + "=" + ldapuser);
	if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS)
	{
	// Do a second search, based on password, if it contains a :
	@@ -417,6 +421,34 @@ public:
	ldapVhost.set(user, SafeReplace(vhost, dnParts));
	}

	+ if (!group.empty())
	+ {
	+ RAIILDAPMessage group_msg;
	+ std::string filter = "(&(" + group + ")(memberUid=" + ldapuser + "))";
	+
	+ res = ldap_search_ext_s(conn, base.c_str(), searchscope, filter.c_str(), NULL, 0, NULL, NULL, NULL, 0, &group_msg);
	+ if (res != LDAP_SUCCESS)
	+ {
	+ if (verbose)
	+ ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search failed: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
	+ return false;
	+ }
	+
	+ if (ldap_count_entries(conn, group_msg) > 1)
	+ {
	+ if (verbose)
	+ ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned more than one result: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
	+ return false;
	+ }
	+
	+ if (ldap_first_entry(conn, group_msg) == NULL)
	+ {
	+ if (verbose)
	+ ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP group search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res));
	+ return false;
	+ }
	+ }
	+
	ldapAuthed.set(user,1);
	return true;
	}