Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Add ldap parameters debug...
details:   https://anonhg.NetBSD.org/src/rev/d800bdea0a42
branches:  trunk
changeset: 946404:d800bdea0a42
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Wed Nov 25 18:11:00 2020 +0000
description:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.
diffstat:
 crypto/dist/ipsec-tools/src/racoon/cfparse.y      |  22 +++++++++++++++++-
 crypto/dist/ipsec-tools/src/racoon/cftoken.l      |   4 ++-
 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c |  27 +++++++++++++++++++---
 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h |   4 ++-
 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  |  15 +++++++++++-
 5 files changed, 62 insertions(+), 10 deletions(-)
diffs (188 lines):
diff -r a700ef95c0c8 -r d800bdea0a42 crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y      Wed Nov 25 16:42:53 2020 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y      Wed Nov 25 18:11:00 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $      */
+/*     $NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $      */
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@
        /* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
        /* ldap config */
-%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
        /* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,24 @@
 #endif
                }
                EOS
+       |       LDAP_DEBUG NUMBER
+               {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+                       xauth_ldap_config.debug = $2;
+#endif
+#endif
+               }
+               EOS
+       |       LDAP_TIMEOUT NUMBER
+               {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+                       xauth_ldap_config.timeout = $2;
+#endif
+#endif
+               }
+               EOS
        |       LDAP_URI QUOTEDSTRING
                {
 #ifdef ENABLE_HYBRID
diff -r a700ef95c0c8 -r d800bdea0a42 crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l      Wed Nov 25 16:42:53 2020 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l      Wed Nov 25 18:11:00 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $      */
+/*     $NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $      */
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,8 @@
 <S_INI>ldapcfg         { BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 <S_LDAP>{bcl}          { return(BOC); }
 <S_LDAP>version                { YYD; return(LDAP_PVER); }
+<S_LDAP>debug          { YYD; return(LDAP_DEBUG); }
+<S_LDAP>timeout                { YYD; return(LDAP_TIMEOUT); }
 <S_LDAP>uri            { YYD; return(LDAP_URI); }
 <S_LDAP>host           { YYD; return(LDAP_HOST); }
 <S_LDAP>port           { YYD; return(LDAP_PORT); }
diff -r a700ef95c0c8 -r d800bdea0a42 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Wed Nov 25 16:42:53 2020 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Wed Nov 25 18:11:00 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $ */
+/*     $NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $ */
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,8 @@
        int error = -1;
 
        xauth_ldap_config.pver = 3;
+       xauth_ldap_config.debug = 0;
+       xauth_ldap_config.timeout = -1;
        xauth_ldap_config.uri = NULL;
        xauth_ldap_config.host = NULL;
        xauth_ldap_config.port = LDAP_PORT;
@@ -896,7 +898,7 @@
        atlist[2] = NULL;
 
        if (xauth_ldap_config.uri != NULL) {
-               tmplen = strlen(xauth_ldap_config.host->v);
+               tmplen = strlen(xauth_ldap_config.uri->v);
                init = racoon_malloc(tmplen);
                if (init == NULL) {
                        plog(LLV_ERROR, LOCATION, NULL,
@@ -918,6 +920,9 @@
                        xauth_ldap_config.host->v,
                        xauth_ldap_config.port );
        }
+       /* initialize the debug level */
+       ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
+       ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
 
        plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
        /* initialize the ldap handle */
@@ -933,12 +938,26 @@
        if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
                &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
                plog(LLV_ERROR, LOCATION, NULL,
-                       "LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n",
+                       "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n",
                        xauth_ldap_config.pver,
                        ldap_err2string(res));
                goto ldap_end;
        }
-               
+
+       if (xauth_ldap_config.timeout > 0) {
+               static struct timeval timeout;
+               timeout.tv_sec = xauth_ldap_config.timeout;
+               timeout.tv_usec = 0;
+               if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
+                       (void *)&timeout)) != LDAP_OPT_SUCCESS) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                               "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n",
+                               xauth_ldap_config.timeout,
+                               ldap_err2string(res));
+                       goto ldap_end;
+               }
+       }
+
        /* Enable TLS */
        if (xauth_ldap_config.tls) {
                res = ldap_start_tls_s(ld, NULL, NULL);
diff -r a700ef95c0c8 -r d800bdea0a42 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Wed Nov 25 16:42:53 2020 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Wed Nov 25 18:11:00 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_xauth.h,v 1.9 2020/11/25 16:42:53 bouyer Exp $  */
+/*     $NetBSD: isakmp_xauth.h,v 1.10 2020/11/25 18:11:00 bouyer Exp $ */
 
 /*     $KAME$ */
 
@@ -158,6 +158,8 @@
 
 struct xauth_ldap_config {
        int             pver;
+       int             debug;
+       int             timeout;
        vchar_t         *uri;
        vchar_t         *host;
        int             port;
diff -r a700ef95c0c8 -r d800bdea0a42 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Wed Nov 25 16:42:53 2020 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Wed Nov 25 18:11:00 2020 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $
+.\"    $NetBSD: racoon.conf.5,v 1.69 2020/11/25 18:11:00 bouyer Exp $
 .\"
 .\"    Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 13, 2018
+.Dd November 25, 2020
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -1349,6 +1349,14 @@
 The port that the ldap server is configured to listen on.
 The default is
 .Ic 389 .
+.It Ic uri Ar (ldapuri) ;
+URI(s) referring to the ldap server(s); a list of URI, separated by
+whitespace or commas.
+It takes precedence over
+.Ic host/port .
+.It Ic timeout Ar (number) ;
+network timeout connecting to the ldap server(s).
+The default is the default connect timeout from the underlying protocol.
 .It Ic tls (on | off) ;
 Use TLS with the ldap server.
 The default is
@@ -1393,6 +1401,9 @@
 The attribute used to specify group membership in an ldap directory.
 The default value is
 .Ic member .
+.It Ic debug Ar (number) ;
+Set ldap debug level.
+The default value is 0.
 .El
 .El
 .Ss Radius configuration settings
Home |
Main Index |
Thread Index |
Old Index