diff options
| -rw-r--r-- | .SRCINFO | 37 | ||||
| -rw-r--r-- | .gitignore | 4 | ||||
| -rw-r--r-- | PKGBUILD | 80 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-README.patch | 38 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-STARTTLS_before_auth.patch | 52 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-gnustep.patch | 201 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-remoteAddress.patch | 38 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-rfc2307.patch | 273 | ||||
| -rw-r--r-- | auth-ldap-2.0.3-tools-CFLAGS.patch | 11 |
9 files changed, 687 insertions, 47 deletions
@@ -1,21 +1,36 @@ # Generated by mksrcinfo v8 -# Sun May 29 11:24:55 UTC 2016 +# Sun May 29 11:27:25 UTC 2016 pkgbase = openvpn-auth-ldap - pkgdesc = LDAP authentication plugin for openvpn + pkgdesc = OpenVPN Auth via LDAP/AD plugin. RFC2307 support. pkgver = 2.0.3 - pkgrel = 4 - url = http://code.google.com/p/openvpn-auth-ldap/ - arch = i686 - arch = x86_64 + pkgrel = 5 + url = https://github.com/threerings/openvpn-auth-ldap + arch = any license = BSD makedepends = gcc-objc + makedepends = gnustep-base makedepends = re2c + makedepends = doxygen + makedepends = autoconf + makedepends = libldap depends = openvpn - backup = etc/openvpn/plugins/auth-ldap.conf - source = http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz - source = http://ftp.de.debian.org/debian/pool/main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-5.1.debian.tar.gz - sha1sums = f03bee8848229825efe42349b5278dad34e5dadf - sha1sums = 1f5ee27a8089ff2ae456261f812b40d18fe6bd5c + depends = gnustep-base + depends = libldap + backup = etc/openvpn/auth-ldap.conf + source = openvpn-auth-ldap.tar.gz::https://github.com/threerings/openvpn-auth-ldap/archive/auth-ldap-2.0.3.tar.gz + source = auth-ldap-2.0.3-STARTTLS_before_auth.patch + source = auth-ldap-2.0.3-README.patch + source = auth-ldap-2.0.3-tools-CFLAGS.patch + source = auth-ldap-2.0.3-gnustep.patch + source = auth-ldap-2.0.3-remoteAddress.patch + source = auth-ldap-2.0.3-rfc2307.patch + sha256sums = 3bafd6733513d8d824cfc84e308dfa91b2ed021b67892fc7488962cb9f94d283 + sha256sums = a04bf0e2bbdc364a61df0521fc44ec58550e40a363fdb0fa7b1f666386dfa291 + sha256sums = c82a36fa3242ff6f6e4ee6aedbe85ad557f4ea56b2f91ba0cb72672bf08d8b73 + sha256sums = 40d463bcd50995edd4b052ce4a3c88243b1602214b5df7c60fd0b83418f92371 + sha256sums = a67f846c6ad4a06fc2b48656a16067094ad903e5afa73736a6f865459a8055a9 + sha256sums = 7e2a68566f8cf056ee0977245789ccda7d0155165711da16e33da46a8a07f9cb + sha256sums = ba7b00697baaebab9bf303bc5fd84f8da355115fa94ceb9884bc1c5c24aca4c0 pkgname = openvpn-auth-ldap diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..8b0760615c8b --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +pkg/* +src/* +*.tar.* +ipt_ndpi/* @@ -1,49 +1,57 @@ -pkgname=openvpn-auth-ldap -pkgver=2.0.3 -_debpkgver=2.0.3-5.1 -pkgrel=4 -pkgdesc="LDAP authentication plugin for openvpn" -arch=(i686 x86_64) -url="http://code.google.com/p/openvpn-auth-ldap/" +# Maintainer: Shalygin Konstantin <k0ste@k0ste.ru> +# Contributor: Shalygin Konstantin <k0ste@k0ste.ru> + +_ldap='auth-ldap' +pkgname='openvpn-auth-ldap' +pkgver='2.0.3' +pkgrel='5' +pkgdesc='OpenVPN Auth via LDAP/AD plugin. RFC2307 support.' +arch=('any') +url='https://github.com/threerings/openvpn-auth-ldap' license=('BSD') -depends=('openvpn') -makedepends=('gcc-objc' 're2c') -backup=(etc/openvpn/plugins/auth-ldap.conf) -source=(http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-$pkgver.tar.gz - http://ftp.de.debian.org/debian/pool/main/o/openvpn-auth-ldap/openvpn-auth-ldap_$_debpkgver.debian.tar.gz) -sha1sums=('f03bee8848229825efe42349b5278dad34e5dadf' - '1f5ee27a8089ff2ae456261f812b40d18fe6bd5c') +depends=('openvpn' 'gnustep-base' 'libldap') +makedepends=('gcc-objc' 'gnustep-base' 're2c' 'doxygen' 'autoconf' 'libldap') +source=("${pkgname}.tar.gz::${url}/archive/${_ldap}-${pkgver}.tar.gz" + "auth-ldap-2.0.3-STARTTLS_before_auth.patch" + "auth-ldap-2.0.3-README.patch" + "auth-ldap-2.0.3-tools-CFLAGS.patch" + "auth-ldap-2.0.3-gnustep.patch" + "auth-ldap-2.0.3-remoteAddress.patch" + "auth-ldap-2.0.3-rfc2307.patch") +sha256sums=('3bafd6733513d8d824cfc84e308dfa91b2ed021b67892fc7488962cb9f94d283' + 'a04bf0e2bbdc364a61df0521fc44ec58550e40a363fdb0fa7b1f666386dfa291' + 'c82a36fa3242ff6f6e4ee6aedbe85ad557f4ea56b2f91ba0cb72672bf08d8b73' + '40d463bcd50995edd4b052ce4a3c88243b1602214b5df7c60fd0b83418f92371' + 'a67f846c6ad4a06fc2b48656a16067094ad903e5afa73736a6f865459a8055a9' + '7e2a68566f8cf056ee0977245789ccda7d0155165711da16e33da46a8a07f9cb' + 'ba7b00697baaebab9bf303bc5fd84f8da355115fa94ceb9884bc1c5c24aca4c0') +backup=("etc/openvpn/auth-ldap.conf") prepare() { - cd "$srcdir/auth-ldap-$pkgver" + cd "${srcdir}/${pkgname}-${_ldap}-${pkgver}" - for f in $(< "$srcdir/debian/patches/series"); do - msg2 "Applying $f" - patch -Np1 < "$srcdir/debian/patches/$f" - done + patch -p1 -i "${srcdir}/auth-ldap-2.0.3-STARTTLS_before_auth.patch" + patch -p1 -i "${srcdir}/auth-ldap-2.0.3-README.patch" + patch -p1 -i "${srcdir}/auth-ldap-2.0.3-tools-CFLAGS.patch" + patch -p0 -i "${srcdir}/auth-ldap-2.0.3-gnustep.patch" + patch -p1 -i "${srcdir}/auth-ldap-2.0.3-remoteAddress.patch" + patch -p1 -i "${srcdir}/auth-ldap-2.0.3-rfc2307.patch" - msg2 "Fixing tests/Makefile.in" - sed -i 's#{top_builddir}src#{top_builddir}/src#' tests/Makefile.in + autoreconf + autoheader + ./configure \ + --prefix=/usr \ + --with-openvpn=/usr/include \ + --with-objc-runtime=modern } build() { - cd "$srcdir/auth-ldap-$pkgver" - - export OBJCFLAGS=-fobjc-abi-version=2 - ./configure \ - --prefix=/usr \ - --with-openvpn=/usr/include \ - --with-objc-runtime=GNU ; + cd "${srcdir}/${pkgname}-${_ldap}-${pkgver}" make } package() { - cd "$srcdir/auth-ldap-$pkgver" - - install -Dm0755 src/openvpn-auth-ldap.so "$pkgdir/usr/lib/openvpn/openvpn-auth-ldap.so" - install -Dm0644 README "$pkgdir/usr/share/doc/$pkgname/README" - install -Dm0644 auth-ldap.conf "$pkgdir/etc/openvpn/plugins/auth-ldap.conf" - install -Dm0644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + cd "${srcdir}/${pkgname}-${_ldap}-${pkgver}" + install -Dm775 "src/${pkgname}.so" "${pkgdir}/usr/lib/openvpn/plugins/${pkgname}.so" + install -Dm400 "${_ldap}.conf" "${pkgdir}/etc/openvpn/${_ldap}.conf" } - -# vim: ts=2:sw=2:et diff --git a/auth-ldap-2.0.3-README.patch b/auth-ldap-2.0.3-README.patch new file mode 100644 index 000000000000..60b1e9d4b893 --- /dev/null +++ b/auth-ldap-2.0.3-README.patch @@ -0,0 +1,38 @@ +diff -Naupr auth-ldap-2.0.3.orig/README auth-ldap-2.0.3/README +--- auth-ldap-2.0.3.orig/README 2006-07-27 03:42:06.000000000 +0200 ++++ auth-ldap-2.0.3/README 2007-06-21 11:34:26.000000000 +0200 +@@ -6,31 +6,11 @@ LDAP. + You may send patches, bug reports, and complaints to: + landonf@threerings.net + +-REQUIREMENTS +- +-* OpenLDAP Headers & Library +-* GNU Objective-C Compiler +-* OpenVPN Plugin Header (included with the OpenVPN sources) +-* re2c (http://www.re2c.org) +- +-BUILD +- +-To build, you will need to configure the sources appropriately. Example: +- ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2 +- +-The module will be build in src/openvpn-auth-ldap.so and installed as +-${prefix}/lib/openvpn-auth-ldap.so. +- + USAGE + +-Add the following to your OpenVPN configuration file (adjusting +-the plugin path as required): +- +- plugin /usr/local/lib/openvpn-auth-ldap.so "<config>" ++Add the following to your OpenVPN configuration file : + +-The config directive must point to an auth-ldap configuration file. +-An example is provided with the distribution. ++plugin /usr/local/lib/openvpn-auth-ldap.so "<config>" + +-CAVEATS ++The sample configuration is provided with the distribution. + +-This plugin only works with the OpenLDAP libraries. diff --git a/auth-ldap-2.0.3-STARTTLS_before_auth.patch b/auth-ldap-2.0.3-STARTTLS_before_auth.patch new file mode 100644 index 000000000000..32f00d4f0d79 --- /dev/null +++ b/auth-ldap-2.0.3-STARTTLS_before_auth.patch @@ -0,0 +1,52 @@ +Description: Run STARTTLS *before* sending auth data + Avoid sending authentication data in clear if STARTTLS is available. +Author: Andre Pawlowski <sqall@h4des.org> +Bug: http://code.google.com/p/openvpn-auth-ldap/issues/detail?id=28 +Bug-Debian: http://bugs.debian.org/610339 +Forwarded: http://code.google.com/p/openvpn-auth-ldap/issues/detail?id=28 +Reviewed-By: Alberto Gonzalez Iniesta <agi@inittab.org> +Last-Update: 2012-02-20 + +Index: openvpn-auth-ldap/src/auth-ldap.m +=================================================================== +--- openvpn-auth-ldap.orig/src/auth-ldap.m 2014-07-25 12:48:50.067688930 +0200 ++++ openvpn-auth-ldap/src/auth-ldap.m 2014-07-25 12:48:50.063688930 +0200 +@@ -307,21 +307,13 @@ + goto error; + } + +- /* Bind if requested */ +- if ([config bindDN]) { +- if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { +- [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; +- goto error; +- } +- } +- + /* Certificate file */ +- if ((value = [config tlsCACertFile])) ++ if ((value = [config tlsCACertFile])) + if (![ldap setTLSCACertFile: value]) + goto error; + + /* Certificate directory */ +- if ((value = [config tlsCACertDir])) ++ if ((value = [config tlsCACertDir])) + if (![ldap setTLSCACertDir: value]) + goto error; + +@@ -340,6 +332,14 @@ + if (![ldap startTLS]) + goto error; + ++ /* Bind if requested */ ++ if ([config bindDN]) { ++ if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { ++ [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; ++ goto error; ++ } ++ } ++ + return ldap; + + error: diff --git a/auth-ldap-2.0.3-gnustep.patch b/auth-ldap-2.0.3-gnustep.patch new file mode 100644 index 000000000000..970060f99377 --- /dev/null +++ b/auth-ldap-2.0.3-gnustep.patch @@ -0,0 +1,201 @@ +Index: aclocal.m4 +=================================================================== +--- aclocal.m4 (revision 1378) ++++ aclocal.m4 (working copy) +@@ -1,4 +1,3 @@ +-builtin(include,objc.m4) + builtin(include,pthread.m4) + builtin(include,platform.m4) + builtin(include,check.m4) +@@ -23,7 +22,7 @@ + # Result is cached. + # + # Defines one of the following preprocessor macros: +-# APPLE_RUNTIME GNU_RUNTIME ++# APPLE_RUNTIME GNU_RUNTIME MODERN_RUNTIME + # + # Substitutes the following variables: + # OBJC_RUNTIME OBJC_RUNTIME_FLAGS OBJC_LIBS +@@ -31,7 +30,7 @@ + #------------------------------------------------------------------------ + AC_DEFUN([OD_OBJC_RUNTIME],[ + AC_REQUIRE([AC_PROG_OBJC]) +- AC_ARG_WITH(objc-runtime, AC_HELP_STRING([--with-objc-runtime], [Specify either "GNU" or "apple"]), [with_objc_runtime=${withval}]) ++ AC_ARG_WITH(objc-runtime, AC_HELP_STRING([--with-objc-runtime], [Specify either "GNU", "apple", or "modern"]), [with_objc_runtime=${withval}]) + + if test x"${with_objc_runtime}" != x; then + case "${with_objc_runtime}" in +@@ -39,8 +38,10 @@ + ;; + apple) + ;; ++ modern) ++ ;; + *) +- AC_MSG_ERROR([${with_objc_runtime} is not a valid argument to --with-objc-runtime. Please specify either "GNU" or "apple"]) ++ AC_MSG_ERROR([${with_objc_runtime} is not a valid argument to --with-objc-runtime. Please specify either "GNU", "apple", or "modern"]) + ;; + esac + fi +@@ -174,6 +175,33 @@ + od_cv_objc_runtime_gnu="no" + fi + ++ if test x"${with_objc_runtime}" = x || test x"${with_objc_runtime}" = x"modern"; then ++ AC_MSG_CHECKING([for Modern Objective C runtime]) ++ AC_CACHE_VAL(od_cv_objc_runtime_modern, [ ++ # The following uses quadrigraphs ++ # '@<:@' = '[' ++ # '@:>@' = ']' ++ AC_LINK_IFELSE([ ++ AC_LANG_PROGRAM([ ++ #include <objc/objc.h> ++ #include <objc/runtime.h> ++ ], [ ++ id class = objc_lookUpClass("NSObject"); ++ id obj = @<:@class alloc@:>@; ++ puts(@<:@obj name@:>@); ++ ]) ++ ], [ ++ od_cv_objc_runtime_modern="yes" ++ ], [ ++ od_cv_objc_runtime_modern="no" ++ ] ++ ) ++ ]) ++ AC_MSG_RESULT(${od_cv_objc_runtime_modern}) ++ else ++ od_cv_objc_runtime_modern="no" ++ fi ++ + # Apple runtime is prefered + if test x"${od_cv_objc_runtime_apple}" = x"yes"; then + OBJC_RUNTIME="APPLE_RUNTIME" +@@ -185,6 +213,16 @@ + OBJC_RUNTIME_FLAGS="-fgnu-runtime" + AC_MSG_NOTICE([Using GNU Objective-C runtime]) + AC_DEFINE([GNU_RUNTIME], 1, [Define if using the GNU Objective-C runtime and compiler.]) ++ elif test x"${od_cv_objc_runtime_modern}" = x"yes"; then ++ OBJC_RUNTIME="MODERN_RUNTIME" ++ case "${target_os}" in ++ linux*) OBJC_RUNTIME_FLAGS="-fgnu-runtime" ++ OBJC_LIBS="-lgnustep-base ${OBJC_LIBS}";; ++ darwin*) OBJC_RUNTIME_FLAGS="-fnext-runtime" ++ LDFLAGS="-framework Foundation ${LDFLAGS}";; ++ esac ++ AC_MSG_NOTICE([Using Modern Objective-C runtime]) ++ AC_DEFINE([MODERN_RUNTIME], 1, [Define if using the Modern Objective-C runtime and compiler.]) + else + AC_MSG_FAILURE([Could not locate a working Objective-C runtime.]) + fi +Index: src/TRObject.h +=================================================================== +--- src/TRObject.h (revision 1378) ++++ src/TRObject.h (working copy) +@@ -40,7 +40,11 @@ + #endif + + #include <stdbool.h> ++#ifdef MODERN_RUNTIME ++#include <Foundation/NSObject.h> ++#else + #include <objc/Object.h> ++#endif + + #include "auth-ldap.h" + +@@ -54,7 +58,11 @@ + @end + + ++#ifdef MODERN_RUNTIME ++@interface TRObject : NSObject <TRObject> { ++#else + @interface TRObject : Object <TRObject> { ++#endif + unsigned int _refCount; + } + +Index: src/TRObject.m +=================================================================== +--- src/TRObject.m (revision 1378) ++++ src/TRObject.m (working copy) +@@ -53,9 +53,11 @@ + * Additionally, we implement brain-dead, non-thread-safe + * reference counting. + */ ++#ifndef MODERN_RUNTIME + @interface Object (AppleAddedAReallyStupidGCCWarning) + - (void) dealloc; + @end ++#endif + + @implementation TRObject + +@@ -69,7 +71,11 @@ + } + + - (void) dealloc { ++#ifdef MODERN_RUNTIME ++ [super dealloc]; ++#else + [super free]; ++#endif + + /* Make Apple's objc compiler be quiet */ + if (false) +Index: src/auth-ldap.m +=================================================================== +--- src/auth-ldap.m (revision 1378) ++++ src/auth-ldap.m (working copy) +@@ -48,6 +48,9 @@ + #include <TRPacketFilter.h> + #include <TRPFAddress.h> + #include <TRLog.h> ++#ifdef MODERN_RUNTIME ++#include <Foundation/NSAutoreleasePool.h> ++#endif + + /* Plugin Context */ + typedef struct ldap_ctx { +@@ -267,7 +270,6 @@ + } + #endif + +- + *type = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) | + OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) | + OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT); +@@ -550,6 +552,10 @@ + TRLDAPEntry *ldapUser = nil; + int ret = OPENVPN_PLUGIN_FUNC_ERROR; + ++#ifdef MODERN_RUNTIME ++ NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; ++#endif ++ + username = get_env("username", envp); + password = get_env("password", envp); + remoteAddress = get_env("ifconfig_pool_remote_ip", envp); +@@ -613,5 +619,8 @@ + [ldapUser release]; + if (ldap) + [ldap release]; ++#ifdef MODERN_RUNTIME ++ [pool drain]; ++#endif + return (ret); + } +Index: tests/Makefile.in +=================================================================== +--- tests/Makefile.in (revision 1378) ++++ tests/Makefile.in (working copy) +@@ -26,7 +26,7 @@ + CFLAGS+= @CHECK_CFLAGS@ -DTEST_DATA=\"${srcdir}/data\" + OBJCFLAGS+= @CHECK_CFLAGS@ -DTEST_DATA=\"${srcdir}/data\" + LIBS+= -lauth-ldap-testing $(OBJC_LIBS) $(LDAP_LIBS) @CHECK_LIBS@ +-LDFLAGS+= -L${top_builddir}src $(LIBS) ++LDFLAGS+= -L${top_builddir}/src $(LIBS) + + # Recompile the tests every time + all: tests diff --git a/auth-ldap-2.0.3-remoteAddress.patch b/auth-ldap-2.0.3-remoteAddress.patch new file mode 100644 index 000000000000..50220a43ec05 --- /dev/null +++ b/auth-ldap-2.0.3-remoteAddress.patch @@ -0,0 +1,38 @@ +diff -Naupr auth-ldap-2.0.3.orig/src/auth-ldap.m auth-ldap-2.0.3/src/auth-ldap.m +--- auth-ldap-2.0.3.orig/src/auth-ldap.m 2007-01-22 19:50:42.000000000 +0100 ++++ auth-ldap-2.0.3/src/auth-ldap.m 2009-04-29 13:21:06.000000000 +0200 +@@ -533,7 +533,10 @@ + } + + if (tableName) +- if (!pf_client_connect_disconnect(ctx, tableName, remoteAddress, connecting)) ++ if (!remoteAddress) { ++ [TRLog debug: "No remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."]; ++ return OPENVPN_PLUGIN_FUNC_ERROR; ++ } else if (!pf_client_connect_disconnect(ctx, tableName, remoteAddress, connecting)) + return OPENVPN_PLUGIN_FUNC_ERROR; + #endif /* HAVE_PF */ + +@@ -587,20 +590,10 @@ + break; + /* New connection established */ + case OPENVPN_PLUGIN_CLIENT_CONNECT: +- if (!remoteAddress) { +- [TRLog debug: "No remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."]; +- ret = OPENVPN_PLUGIN_FUNC_ERROR; +- } else { +- ret = handle_client_connect_disconnect(ctx, ldap, ldapUser, remoteAddress, YES); +- } ++ ret = handle_client_connect_disconnect(ctx, ldap, ldapUser, remoteAddress, YES); + break; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: +- if (!remoteAddress) { +- [TRLog debug: "No remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_DISCONNECT)."]; +- ret = OPENVPN_PLUGIN_FUNC_ERROR; +- } else { +- ret = handle_client_connect_disconnect(ctx, ldap, ldapUser, remoteAddress, NO); +- } ++ ret = handle_client_connect_disconnect(ctx, ldap, ldapUser, remoteAddress, NO); + break; + default: + [TRLog debug: "Unhandled plugin type in OpenVPN LDAP Plugin (type=%d)", type]; diff --git a/auth-ldap-2.0.3-rfc2307.patch b/auth-ldap-2.0.3-rfc2307.patch new file mode 100644 index 000000000000..14e79e26276c --- /dev/null +++ b/auth-ldap-2.0.3-rfc2307.patch @@ -0,0 +1,273 @@ +diff -Naupr auth-ldap-2.0.3.orig/auth-ldap.conf auth-ldap-2.0.3/auth-ldap.conf +--- auth-ldap-2.0.3.orig/auth-ldap.conf 2007-01-23 00:50:42.000000000 +0600 ++++ auth-ldap-2.0.3/auth-ldap.conf 2015-06-14 16:02:26.496989160 +0600 +@@ -47,6 +47,9 @@ + #PFTable ips_vpn_users + + <Group> ++ # Match full user DN if true, uid only if false ++ RFC2307bis true ++ + BaseDN "ou=Groups,dc=example,dc=com" + SearchFilter "(|(cn=developers)(cn=artists))" + MemberAttribute uniqueMember +diff -Naupr auth-ldap-2.0.3.orig/src/auth-ldap.m auth-ldap-2.0.3/src/auth-ldap.m +--- auth-ldap-2.0.3.orig/src/auth-ldap.m 2015-06-14 16:01:38.000000000 +0600 ++++ auth-ldap-2.0.3/src/auth-ldap.m 2015-06-14 16:02:26.496989160 +0600 +@@ -411,6 +411,7 @@ static TRLDAPGroupConfig *find_ldap_grou + TREnumerator *entryIter; + TRLDAPEntry *entry; + TRLDAPGroupConfig *result = nil; ++ int userNameLength; + + /* + * Groups are loaded into the array in the order that they are listed +@@ -428,15 +429,27 @@ static TRLDAPGroupConfig *find_ldap_grou + /* Error occured, all stop */ + if (!ldapEntries) + break; +- +- /* Iterate over the returned entries */ +- entryIter = [ldapEntries objectEnumerator]; +- while ((entry = [entryIter nextObject]) != nil) { +- if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { +- /* Group match! */ +- result = groupConfig; ++ if ([groupConfig memberRFC2307BIS]) { ++ /* Iterate over the returned entries */ ++ entryIter = [ldapEntries objectEnumerator]; ++ ++ while ((entry = [entryIter nextObject]) != nil) { ++ if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) { ++ /* Group match! */ ++ result = groupConfig; ++ } ++ } ++ } else { ++ /* Iterate over the returned entries */ ++ entryIter = [ldapEntries objectEnumerator]; ++ while ((entry = [entryIter nextObject]) != nil) { ++ if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) { ++ /* Group match! */ ++ result = groupConfig; ++ } + } + } ++ + [entryIter release]; + [ldapEntries release]; + if (result) +@@ -560,6 +573,7 @@ openvpn_plugin_func_v1(openvpn_plugin_ha + #endif + + username = get_env("username", envp); ++ LFString *userName=[[LFString alloc]initWithCString: username]; + password = get_env("password", envp); + remoteAddress = get_env("ifconfig_pool_remote_ip", envp); + +@@ -577,6 +591,7 @@ openvpn_plugin_func_v1(openvpn_plugin_ha + + /* Find the user record */ + ldapUser = find_ldap_user(ldap, ctx->config, username); ++ [ldapUser setRDN: userName]; + if (!ldapUser) { + /* No such user. */ + [TRLog warning: "LDAP user \"%s\" was not found.", username]; +diff -Naupr auth-ldap-2.0.3.orig/src/LFAuthLDAPConfig.m auth-ldap-2.0.3/src/LFAuthLDAPConfig.m +--- auth-ldap-2.0.3.orig/src/LFAuthLDAPConfig.m 2007-01-23 00:50:42.000000000 +0600 ++++ auth-ldap-2.0.3/src/LFAuthLDAPConfig.m 2015-06-14 16:02:26.497989147 +0600 +@@ -79,6 +79,7 @@ typedef enum { + + /* Group Section Variables */ + LF_GROUP_MEMBER_ATTRIBUTE, /* Group Membership Attribute */ ++ LF_GROUP_MEMBER_RFC2307BIS, /* Look for full DN for user in attribute */ + + /* Misc Shared */ + LF_UNKNOWN_OPCODE, /* Unknown Opcode */ +@@ -146,6 +147,7 @@ static OpcodeTable AuthSectionVariables[ + static OpcodeTable GroupSectionVariables[] = { + /* name opcode multi required */ + { "MemberAttribute", LF_GROUP_MEMBER_ATTRIBUTE, NO, NO }, ++ { "RFC2307bis", LF_GROUP_MEMBER_RFC2307BIS, NO, NO }, + { NULL, 0 } + }; + +@@ -696,12 +698,22 @@ error: + + switch(opcodeEntry->opcode) { + TRLDAPGroupConfig *config; ++ BOOL memberRFC2307BIS; + + case LF_GROUP_MEMBER_ATTRIBUTE: + config = [self currentSectionContext]; + [config setMemberAttribute: [value string]]; + break; + ++ case LF_GROUP_MEMBER_RFC2307BIS: ++ config = [self currentSectionContext]; ++ if (![value boolValue: &memberRFC2307BIS]) { ++ [self errorBoolValue: value]; ++ return; ++ } ++ [config setMemberRFC2307BIS: memberRFC2307BIS]; ++ break; ++ + case LF_LDAP_BASEDN: + config = [self currentSectionContext]; + [config setBaseDN: [value string]]; +diff -Naupr auth-ldap-2.0.3.orig/src/LFLDAPConnection.h auth-ldap-2.0.3/src/LFLDAPConnection.h +--- auth-ldap-2.0.3.orig/src/LFLDAPConnection.h 2007-01-23 00:50:42.000000000 +0600 ++++ auth-ldap-2.0.3/src/LFLDAPConnection.h 2015-06-14 16:02:26.497989147 +0600 +@@ -56,6 +56,7 @@ + baseDN: (LFString *) base + attributes: (TRArray *) attributes; + - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; ++- (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value; + + - (BOOL) setReferralEnabled: (BOOL) enabled; + - (BOOL) setTLSCACertFile: (LFString *) fileName; +diff -Naupr auth-ldap-2.0.3.orig/src/LFLDAPConnection.m auth-ldap-2.0.3/src/LFLDAPConnection.m +--- auth-ldap-2.0.3.orig/src/LFLDAPConnection.m 2007-03-23 02:09:51.000000000 +0600 ++++ auth-ldap-2.0.3/src/LFLDAPConnection.m 2015-06-14 16:02:26.497989147 +0600 +@@ -405,6 +405,50 @@ finish: + return NO; + } + ++- (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value { ++ struct timeval timeout; ++ LDAPMessage *res; ++ struct berval bval; ++ int err; ++ int msgid; ++ ++ /* Set up the ber structure for our value */ ++ bval.bv_val = (char *) [value cString]; ++ bval.bv_len = [value length] - 1; /* Length includes NULL terminator */ ++ ++ /* Set up the timeout */ ++ timeout.tv_sec = _timeout; ++ timeout.tv_usec = 0; ++ ++ /* Perform the compare */ ++ if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) { ++ [TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)]; ++ return NO; ++ } ++ ++ /* Wait for the result */ ++ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) { ++ err = ldap_get_errno(ldapConn); ++ if (err == LDAP_TIMEOUT) ++ ldap_abandon_ext(ldapConn, msgid, NULL, NULL); ++ ++ [TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)]; ++ return NO; ++ } ++ ++ /* Check the result */ ++ if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) { ++ /* Parsing failed */ ++ return NO; ++ } ++ if (err == LDAP_COMPARE_TRUE) ++ return YES; ++ else ++ return NO; ++ ++ return NO; ++} ++ + + - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn { + int err; +diff -Naupr auth-ldap-2.0.3.orig/src/TRLDAPEntry.h auth-ldap-2.0.3/src/TRLDAPEntry.h +--- auth-ldap-2.0.3.orig/src/TRLDAPEntry.h 2006-07-26 06:55:47.000000000 +0700 ++++ auth-ldap-2.0.3/src/TRLDAPEntry.h 2015-06-14 16:02:26.497989147 +0600 +@@ -40,11 +40,14 @@ + + @interface TRLDAPEntry : TRObject { + LFString *_dn; ++ LFString *_rdn; + TRHash *_attributes; + } + + - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes; + - (LFString *) dn; ++- (LFString *) rdn; ++- (void) setRDN: (LFString *) rdn; + - (TRHash *) attributes; + + @end +diff -Naupr auth-ldap-2.0.3.orig/src/TRLDAPEntry.m auth-ldap-2.0.3/src/TRLDAPEntry.m +--- auth-ldap-2.0.3.orig/src/TRLDAPEntry.m 2006-07-26 06:55:47.000000000 +0700 ++++ auth-ldap-2.0.3/src/TRLDAPEntry.m 2015-06-14 16:02:26.497989147 +0600 +@@ -42,6 +42,7 @@ + return self; + + _dn = [dn retain]; ++ _rdn = nil; + _attributes = [attributes retain]; + + return self; +@@ -49,6 +50,7 @@ + + - (void) dealloc { + [_dn release]; ++ [_rdn release]; + [_attributes release]; + [super dealloc]; + } +@@ -57,6 +59,14 @@ + return _dn; + } + ++- (LFString *) rdn { ++ return _rdn; ++} ++ ++- (void) setRDN: (LFString *) rdn { ++ _rdn=rdn; ++} ++ + - (TRHash *) attributes { + return _attributes; + } +diff -Naupr auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.h auth-ldap-2.0.3/src/TRLDAPGroupConfig.h +--- auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.h 2006-07-31 03:19:54.000000000 +0700 ++++ auth-ldap-2.0.3/src/TRLDAPGroupConfig.h 2015-06-14 16:02:26.497989147 +0600 +@@ -42,6 +42,7 @@ + LFString *_baseDN; + LFString *_searchFilter; + LFString *_memberAttribute; ++ BOOL _memberRFC2307BIS; + LFString *_pfTable; + } + +@@ -54,6 +55,9 @@ + - (LFString *) memberAttribute; + - (void) setMemberAttribute: (LFString *) memberAttribute; + ++- (BOOL) memberRFC2307BIS; ++- (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS; ++ + - (LFString *) pfTable; + - (void) setPFTable: (LFString *) tableName; + +diff -Naupr auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.m auth-ldap-2.0.3/src/TRLDAPGroupConfig.m +--- auth-ldap-2.0.3.orig/src/TRLDAPGroupConfig.m 2006-07-31 03:19:54.000000000 +0700 ++++ auth-ldap-2.0.3/src/TRLDAPGroupConfig.m 2015-06-14 16:02:26.497989147 +0600 +@@ -81,6 +81,14 @@ + _memberAttribute = [memberAttribute retain]; + } + ++- (BOOL) memberRFC2307BIS { ++ return (_memberRFC2307BIS); ++} ++ ++- (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS { ++ _memberRFC2307BIS = memberRFC2307BIS; ++} ++ + - (void) setPFTable: (LFString *) tableName { + if (_pfTable) + [_pfTable release]; diff --git a/auth-ldap-2.0.3-tools-CFLAGS.patch b/auth-ldap-2.0.3-tools-CFLAGS.patch new file mode 100644 index 000000000000..7e2e39fc23d5 --- /dev/null +++ b/auth-ldap-2.0.3-tools-CFLAGS.patch @@ -0,0 +1,11 @@ +diff -Naupr auth-ldap-2.0.3.orig/tools/Makefile.in auth-ldap-2.0.3/tools/Makefile.in +--- auth-ldap-2.0.3.orig/tools/Makefile.in 2006-04-30 21:56:47.000000000 +0200 ++++ auth-ldap-2.0.3/tools/Makefile.in 2011-08-13 22:57:23.409789931 +0200 +@@ -12,7 +12,6 @@ LEMON_OBJS= lemon.o + LEMON_GEN_SRCS= lempar.c + + MAKEHEADERS_OBJS= makeheaders.o +-CFLAGS= + + all:: lemon makeheaders + |