#!/usr/bin/perl -w # Sample External Authenticaton program for CommuniGate Pro # that employs LDAP "bind", supports the account creation # via NEW command and supports SASL authentication. For SASL # to work the script must be able to retrieve account password # in plain text from the LDAP server. # # See for more info: # # Please mail your comments to # You may need to install the following modules: # ASN1 from # LDAP from use Net::LDAP; use strict; use threads; use threads::shared; use Thread::Queue; # Get the CLI.pm module from use CLI; # # You should redefine these values # my %domains=( # e-mail domains 'company.com' => { # need to create this for every domain you use with external authentication address=>'ldaps://127.0.0.1:636', #the URI or address of LDAP server backupAddress=>'192.168.0.2', # backup LDAP server URI (optional) timeout=>5, # timeout in seconds, 20 by default adminDN=>'CN=Administrator,CN=Users,DC=company,DC=com', # the DN for admin bind adminPassword=>'password', searchBase=>'cn=', # search base for NEW and SASL commands searchFilter=>'(&(uid=)(objectclass=*))', bindDN=>'uid=,cn=', # the account DN for direct bind for VRFY command updatePasswords=>1, #if need to update CommuniGate internal password }, 'another.domain.com' => { address=>'127.0.0.1', adminDN=>'CN=Administrator,CN=Users,DC=new,DC=company,DC=com', adminPassword=>'password', searchBase=>'CN=Users,DC=new,DC=company,DC=com', searchFilter=>'(&(mail=@)(objectclass=user))', bindDN=>'uid=,cn=', updatePasswords=>0, }, ); my $CGServerAddress = '127.0.0.1'; # You should redefine these values my $CLILogin = 'postmaster'; my $CLIPassword = 'pass'; my $cacheTimeout=60*10; # in seconds my $nThreads=5; # # END of user customiseable parameters # $| = 1; #force STDOUT autoflush after each write print "* authLDAPNew.pl started\n"; my %passwordCache:shared; my $mainQueue = Thread::Queue->new(); foreach my $i (1..$nThreads) { my $thr = threads->create(\&threadProc, "thread#$i" ); } while() { chomp; # remove \n from the end of line my ($prefix,$method,@eargs) = split(/ /); next unless($prefix && $method); if($method eq 'VRFY') { unless($prefix && $method && $eargs[0] && $eargs[1]) { print "$prefix ERROR Expected: nnn VRFY (mode) user\@domain password\n"; } else { if($eargs[0] =~ /^\(.*\)$/) { shift @eargs; } $mainQueue->enqueue(['VRFY',$prefix,$eargs[0],$eargs[1]]); } } elsif($method =~ /^SASL/) { unless($prefix && $method && $eargs[0] && $eargs[1]) { print "$prefix ERROR Expected: nnn SASL(method) (mode) user\@domain key\n"; } else { if($eargs[0] =~ /^\(.*\)$/) { shift @eargs; } $mainQueue->enqueue(['SASL',$prefix,$eargs[0] ]); } } elsif($method =~ /^READPLAIN/) { unless($prefix && $method && $eargs[0]) { print "$prefix ERROR Expected: nnn READPLAIN user\@domain\n"; } else { $mainQueue->enqueue(['SASL',$prefix,$eargs[0] ]); } } elsif($method eq 'NEW') { unless($prefix && $method && $eargs[0]) { print "$prefix ERROR Expected: nnn NEW user\@domain\n"; } else { $mainQueue->enqueue(['NEW',$prefix,$eargs[0] ]); } } elsif($method eq 'INTF') { print "$prefix INTF 7\n"; } elsif($method eq 'QUIT') { print "$prefix OK\n"; last; } else { print "$prefix ERROR Only INTF, VRFY, SASL, READPLAIN and NEW commands supported\n"; } } foreach (1..$nThreads) { $mainQueue->enqueue(undef); } foreach my $thr (threads->list()) { $thr->join(); } print "* authLDAPNew.pl done\n"; exit(0); sub threadProc { my ($name)=@_; # print "* $name started\n"; while (my $data = $mainQueue->dequeue()) { my ($name,$domain)=("",""); if($data->[2] =~ /(.+)\@(.+)/) { $name=$1; $domain=$2; } else { print "$data->[1] ERROR Full account name with \@ and domain part expected\n"; next; } unless($domains{$domain}) { print "$data->[1] ERROR the domain '$domain' is not served, check settings.\n"; next; } my $errorMsg; if($data->[0] eq 'VRFY') { $errorMsg=vrfy_command($name,$data->[1],$data->[2],$data->[3],$name,$domain); }elsif($data->[0] eq 'SASL') { $errorMsg=sasl_command($name,$data->[1],$data->[2],$name,$domain); }elsif($data->[0] eq 'NEW') { $errorMsg=new_command($name,$data->[1],$data->[2],$name,$domain); }else{ $errorMsg="unknown command $data->[0]"; } if(defined $errorMsg) { print "$data->[1] ERROR $errorMsg\n"; } } # print "* $name quitting\n"; } sub tryConnectServer { my ($thrName,$domain)=@_; my $domData=$domains{$domain}; my $adr=$domData->{address}; if($domData->{backupSwitchTime}) { if($domData->{backupSwitchTime}+60 > time() ) { #use backup for 60 seconds $adr=$domData->{backupAddress}; } else { delete $domData->{backupSwitchTime}; } } print "* ($thrName) trying to connect to $adr\n"; my $ldap = Net::LDAP->new($adr,timeout=>($domData->{timeout} || 20),inet4=>1,inet6=>0 ); unless($ldap) { if($domData->{backupAddress}) { print "* ($thrName) connection failed, trying backup at $domData->{backupAddress}\n"; $ldap = Net::LDAP->new($domData->{backupAddress},timeout=>($domData->{timeout} || 20),inet4=>1,inet6=>0 ); $domData->{backupSwitchTime}=time() if($ldap); } } return $ldap; } sub vrfy_command { my ($thrName,$prefix,$user,$password,$name,$domain)=@_; if($passwordCache{"$user/p"}) { if($passwordCache{"$user/t"} + $cacheTimeout > time() && $passwordCache{"$user/p"} eq $password) { print "* user $user found in cache, ttl=".int($passwordCache{"$user/t"}+$cacheTimeout-time() )."\n"; print "$prefix OK\n"; return; } else { delete $passwordCache{"$user/p"}; delete $passwordCache{"$user/t"}; } } my $ldap = tryConnectServer($thrName,$domain); unless($ldap) { return "Failed to connect to LDAP server"; } my $bindDN=$domains{$domain}->{bindDN}; $bindDN=~s//$name/; $bindDN=~s//$domain/; $password=decodeString($password); print "* ($thrName) binding $bindDN with password=$password\n"; my $result; $result=$ldap->bind($bindDN,password=>$password) || return "Can't bind: ".$result->error; $ldap->unbind(); # unbind & disconnect #$ldap->disconnect(); $result->code && return $result->error; # return error message if failed $passwordCache{"$user/t"}=time(); $passwordCache{"$user/p"}=$password; print "$prefix OK\n"; if($domains{$domain}->{updatePasswords}) { my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress, PeerPort => 106, login => $CLILogin, password => $CLIPassword } ); unless($cli) { print "* Can't login to CGPro via CLI: ".$CGP::ERR_STRING."\n"; return undef; } unless($cli->SetAccountPassword($user,$password)) { print "* Can't set password:".$cli->getErrMessage."\n"; } $cli->Logout(); } return undef; # return "undef" on success } sub sasl_command { my ($thrName,$prefix,$user,$name,$domain)=@_; if($passwordCache{"$user/p"}) { if($passwordCache{"$user/t"} + $cacheTimeout > time() ) { print "* user $user found in cache, ttl=".int($passwordCache{"$user/t"}+$cacheTimeout-time() )."\n"; print "$prefix PLAIN ".encodeString($passwordCache{"$user/p"})."\n"; return; } else { delete $passwordCache{"$user/p"}; delete $passwordCache{"$user/t"}; } } my $ldap = tryConnectServer($thrName,$domain); unless($ldap) { return "Failed to connect to LDAP server"; } my $adminDN=$domains{$domain}->{adminDN}; my $adminPassword=$domains{$domain}->{adminPassword}; my $result; $result=$ldap->bind($adminDN,password=>$adminPassword) || return "Can't bind as admin: ".$result->error; $result->code && return "Can't bind as admin: ".$result->error; my $searchBase=$domains{$domain}->{searchBase}; $searchBase=~s//$name/g; $searchBase=~s//$domain/g; my $searchFilter=$domains{$domain}->{searchFilter}; $searchFilter=~s//$name/g; $searchFilter=~s//$domain/g; print "* ($thrName) searching $searchBase for $searchFilter\n"; my $mesg = $ldap->search ( # perform a search base => $searchBase, filter => $searchFilter ); $ldap->unbind(); # unbind & disconnect unless(defined $mesg) { return "LDAP search failed"; } if($mesg->all_entries() eq 0) { return "LDAP: nothing found for $searchFilter"; } my $password; foreach my $entry ($mesg->all_entries) { my $ref1=@$entry{'asn'}; my $attrs=@$ref1{'attributes'}; foreach my $atrRef (@$attrs) { my $type=@$atrRef{'type'}; my $vals=@$atrRef{'vals'}; # $realName=@$vals[0] if($type eq 'cn'); $password=@$vals[0] if($type eq 'userPassword'); } last; # we need only 1 entry } unless($password) { return "no plain text password was found"; } $passwordCache{"$user/t"}=time(); $passwordCache{"$user/p"}=$password; print "$prefix PLAIN ".encodeString($password)."\n"; if($domains{$domain}->{updatePasswords}) { my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress, PeerPort => 106, login => $CLILogin, password => $CLIPassword } ); unless($cli) { print "* Can't login to CGPro via CLI: ".$CGP::ERR_STRING."\n"; return undef; } unless($cli->SetAccountPassword($user,$password)) { print "* Can't set password:".$cli->getErrMessage."\n"; } $cli->Logout(); } return undef; } sub new_command { my ($thrName,$prefix,$user,$name,$domain)=@_; my $ldap = tryConnectServer($thrName,$domain); unless($ldap) { return "Failed to connect to LDAP server"; } my $adminDN=$domains{$domain}->{adminDN}; my $adminPassword=$domains{$domain}->{adminPassword}; my $result; $result=$ldap->bind($adminDN,password=>$adminPassword) || return "Can't bind as admin: ".$result->error; $result->code && return "Can't bind as admin: ".$result->error; my $searchBase=$domains{$domain}->{searchBase}; $searchBase=~s//$name/; $searchBase=~s//$domain/; my $searchFilter=$domains{$domain}->{searchFilter}; $searchFilter=~s//$name/; $searchFilter=~s//$domain/; print "* ($thrName) searching $searchBase for $searchFilter\n"; my $mesg = $ldap->search ( # perform a search base => $searchBase, filter => $searchFilter ); $ldap->unbind(); # unbind & disconnect unless(defined $mesg) { return "LDAP search failed"; } if($mesg->all_entries() eq 0) { return "LDAP: nothing found for $searchFilter"; } my ($realName,$password); foreach my $entry ($mesg->all_entries) { my $ref1=@$entry{'asn'}; my $attrs=@$ref1{'attributes'}; foreach my $atrRef (@$attrs) { my $type=@$atrRef{'type'}; my $vals=@$atrRef{'vals'}; $realName=@$vals[0] if($type eq 'cn'); $password=@$vals[0] if($type eq 'userPassword'); } last; # we need only 1 entry } my %userData; $userData{'RealName'}=$realName if(defined $realName); $userData{'Password'}=$password if(defined $password && $domains{$domain}->{updatePasswords}); print "* ($thrName) found $realName\n" if(defined $realName); my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress, PeerPort => 106, login => $CLILogin, password => $CLIPassword } ) || return "Can't login to CGPro via CLI: ".$CGP::ERR_STRING; $cli->CreateAccount(accountName=>"$user",settings=>\%userData) || return "Can't create account via CLI:".$cli->getErrMessage; $cli->Logout(); if($password) { $passwordCache{"$user/t"}=time(); $passwordCache{"$user/p"}=$password; } print "$prefix OK\n"; return undef; } sub encodeString { my ($data)=@_; if($data =~ /\W/) { $data =~ s/\\/\\\\/g; $data =~ s/\"/\\\"/g; $data =~ s/([\x00-\x1F\x7F])/'\\'.('0'x(3-length(ord($1)))).ord($1)/ge; } return '"' . $data . '"'; } sub decodeString { my ($data)=@_; my $isQuoted=0; unless($data=~/^\"(.*)\"$/) { # check "'s return $data; } $data=$1; my $result=""; my $span=0; my $len=length($data); while($span < $len) { my $ch=substr($data,$span,1); if($ch eq '\\') { $span++; if(substr($data,$span,3) =~ /^(\d\d\d)/) { $ch=chr($1); $span+=3; }else { $ch=substr($data,$span,1); } } $result .= $ch; ++$span; } return $result; } __END__