Permalink
Browse files

extras/m_ldapauth: CIDR-based whitelisting

Offer host-based whitelisting in the ldap module.

Used to trust clients from internal networks,
whilst requiring authentication from "outsiders".
  • Loading branch information...
1 parent 418b77d commit 16cbb628161960eb87d5b2e8bdd62842b8eb0723 Pierre Carrier committed Sep 14, 2011
Showing with 31 additions and 0 deletions.
  1. +10 −0 docs/modules.conf.example
  2. +21 −0 src/modules/extra/m_ldapauth.cpp
@@ -960,6 +960,8 @@
# bindauth="mysecretpass" #
# verbose="yes"> #
# #
+# <ldapwhitelist cidr="10.42.0.0/16"> #
+# #
# The baserdn indicates the base DN to search in for users. Usually #
# this is 'ou=People,dc=yourdomain,dc=yourtld'. #
# #
@@ -987,6 +989,14 @@
# allow anonymous searching in which case these two values do not #
# need defining, otherwise they should be set similar to the examples #
# above. #
+# #
+# ldapwhitelist indicates that clients connecting from an IP in the #
+# provided CIDR do not need to authenticate against LDAP. It can be #
+# repeated to whitelist multiple CIDRs. #
+
+# ldapwhitelist indicates that clients connecting from the associated #
+# CIDR do to authenticate against LDAP. It can be used multiple #
+# times. #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# LDAP oper configuration module: Adds the ability to authenticate #
@@ -46,6 +46,7 @@ class ModuleLDAPAuth : public Module
std::string killreason;
std::string username;
std::string password;
+ std::vector<std::string> whitelistedcidrs;
int searchscope;
bool verbose;
bool useusername;
@@ -73,6 +74,7 @@ class ModuleLDAPAuth : public Module
void OnRehash(User* user)
{
ConfigReader Conf;
+ whitelistedcidrs.clear();
base = Conf.ReadValue("ldapauth", "baserdn", 0);
attribute = Conf.ReadValue("ldapauth", "attribute", 0);
@@ -85,6 +87,16 @@ class ModuleLDAPAuth : public Module
verbose = Conf.ReadFlag("ldapauth", "verbose", 0); /* Set to true if failed connects should be reported to operators */
useusername = Conf.ReadFlag("ldapauth", "userfield", 0);
+ ConfigTagList whitelisttags = ServerInstance->Config->ConfTags("ldapwhitelist");
+
+ for (ConfigIter i = whitelisttags.first; i != whitelisttags.second; ++i)
+ {
+ std::string cidr = i->second->getString("cidr");
+ if (!cidr.empty()) {
+ whitelistedcidrs.push_back(cidr);
+ }
+ }
+
if (scope == "base")
searchscope = LDAP_SCOPE_BASE;
else if (scope == "onelevel")
@@ -128,6 +140,15 @@ class ModuleLDAPAuth : public Module
return MOD_RES_PASSTHRU;
}
+ for (std::vector<std::string>::iterator i = whitelistedcidrs.begin(); i != whitelistedcidrs.end(); i++)
+ {
+ if (InspIRCd::MatchCIDR(user->GetIPString(), *i, ascii_case_insensitive_map))
+ {
+ ldapAuthed.set(user,1);
+ return MOD_RES_PASSTHRU;
+ }
+ }
+
if (!CheckCredentials(user))
{
ServerInstance->Users->QuitUser(user, killreason);

0 comments on commit 16cbb62

Please sign in to comment.