ILRI Research Computing

User Tools

Site Tools

You are here: start » ldap_integration
ldap_integration

This is an old revision of the document!

LDAP Integration

ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services. Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC. There exists functionality in Linux to look at Active Directory for user authentication. ~~NOLINEBREAK~~ 

#define DEFAULT_USER "nobody"
 
 
 
#include <stdio.h>
 
 
 
/*
 
 * here, we make definitions for the externally accessible functions
 
 * in this file (these definitions are required for static modules
 
 * but strongly encouraged generally) they are used to instruct the
 
 * modules include file to define their prototypes.
 
 */
 
 
 
#define PAM_SM_AUTH
 
#define PAM_SM_ACCOUNT
 
#define PAM_SM_SESSION
 
#define PAM_SM_PASSWORD
 
 
 
#include <security/pam_modules.h>
 
#include <security/_pam_macros.h>
 
#include <lber.h> //for ldap
 
#include <ldap.h> //for ldap
 
#include <string.h> //added by lavila
 
#include <syslog.h> //added by Alan to compile on newer Linux
 
 
 
int testBind(char* loginDN, char* password)
 
{
 
  struct timeval timeOut = {10,0};    /* 10 second connection timeout */
 
  int returnValue=0;
 
  char* pass2;
 
  pass2=password;
 
  char tempPass[100];
 
 
 
  //strcpy(tempPass,pass2); 
 
  strcat(loginDN,"@cgiar.org");
 
  //syslog (LOG_ERR, "pam_cgiar_ldap: user %s, password %s",loginDN,password );
 
 
 
  LDAP *ld;
 
  int version = LDAP_VERSION3;
 
  ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
 
  ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
 
  ld = ldap_init("172.26.12.11" , 389 );
 
  if (ld==NULL) printf("\nproblems connecting\n");
 
  int rc;
 
  //if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
 
  if (ldap_simple_bind_s( ld, loginDN,password)!= LDAP_SUCCESS )
 
 
 
 
 
    { 
 
      returnValue =0;
 
      syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication failed");
 
 
 
    }
 
  else 
 
 {
 
   returnValue=1;
 
  syslog (LOG_ERR, "pam_cgiar_ldap: -->ldap authentication ok");
 
 
 
  }
 
/*
 
  FILE* outFile;
 
  outFile=fopen ("/salida.txt","w");
 
  fprintf(outFile,"\nuser:%s\n",loginDN);
 
 // if (rc==PAM_SUCCESS)
 
  fprintf(outFile,"\nPassword: %s\n",password);
 
 fclose(outFile);
 
  */
 
//  return(0);
 
  return (returnValue);
 
 
 
}
 
 
 
/* --- authentication management functions --- */
 
 
 
PAM_EXTERN
 
int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
 
			,const char **argv)
 
{
 
    int retval,rc;
 
    const char *user=NULL;
 
    char *p;
 
//syslog (LOG_ERR, "illegal option %s", argv[i]);
 
 
 
    /*
 
     * authentication requires we know who the user wants to be
 
     */
 
    retval = pam_get_user(pamh, &user, NULL);
 
    if (retval != PAM_SUCCESS) {
 
	D(("get user returned error: %s", pam_strerror(pamh,retval)));
 
	return retval;
 
    }
 
 
 
   // rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
 
 
 
 
 
    if (user == NULL || *user == '\0') {
 
	D(("username not known"));
 
	retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
 
	if (retval != PAM_SUCCESS)
 
	    return PAM_USER_UNKNOWN;
 
    }
 
   // user = NULL;                                            /* clean up */
 
 
 
   // return PAM_SUCCESS;
 
 
 
  //changes introduced by lavila
 
 // I still cannot put this module on top of the stack
 
 // I have to put it at least on second place
 
 // or my password information returns null when using get_itme
 
 //maybe I should use pam_start to load pamh
 
  rc=pam_get_item (pamh, PAM_AUTHTOK, (const void **) &p);
 
 // if (rc == PAM_SUCCESS)
 
 
 
   char luser[100];
 
   strcpy(luser,user);
 
 // if (p!=NULL)
 
 /* {
 
    FILE* outFile;
 
    outFile=fopen ("/salida.txt","w");
 
    fprintf(outFile,"\nuser:%s\n",user);
 
    fprintf(outFile,"\nPassword1: %s\n",p);
 
    fclose(outFile);
 
    rc = testBind(luser,p);
 
  }*/
 
 
 
 
 
    rc = testBind(luser,p);
 
 
 
//  rc=0;
 
 if (rc==1) 
 
  return PAM_SUCCESS;
 
 else return PAM_AUTH_ERR;
 
 
 
	   // return PAM_USER_UNKNOWN;
 
   //lavila, en esta funcion debo hacer la validacion
 
 
 
 
 
 
 
}
 
 
 
PAM_EXTERN
 
int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
 
		   ,const char **argv)
 
{
 
     return PAM_SUCCESS;
 
//	    return PAM_USER_UNKNOWN;
 
 
 
}
 
 
 
/* --- account management functions --- */
 
 
 
PAM_EXTERN
 
int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
 
		     ,const char **argv)
 
{
 
     return PAM_SUCCESS;
 
 
 
}
 
 
 
/* --- password management --- */
 
 
 
PAM_EXTERN
 
int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc
 
		     ,const char **argv)
 
{
 
     return PAM_SUCCESS;
 
 
 
 
 
}
 
 
 
/* --- session management --- */
 
 
 
PAM_EXTERN
 
int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
 
			,const char **argv)
 
{
 
    return PAM_SUCCESS;
 
}
 
 
 
PAM_EXTERN
 
int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
 
			 ,const char **argv)
 
{
 
     return PAM_SUCCESS;
 
}
 
 
 
/* end of module definition */
 
 
 
#ifdef PAM_STATIC
 
 
 
/* static module data */
 
 
 
/*struct pam_module_pam_permit_modstruct = {
 
    "pam_permit",*/
 
struct pam_module_pam_cgiar_ldap_modstruct = {
 
    "pam_cgiar_ldap",
 
    pam_sm_authenticate,
 
    pam_sm_setcred,
 
    pam_sm_acct_mgmt,
 
    pam_sm_open_session,
 
    pam_sm_close_session,
 
    pam_sm_chauthtok
 
};
 
 
 
#endif
ldap_integration.1250241019.txt.gz · Last modified: 2010/05/22 14:19 (external edit)