auth-pam.c Authentication by PAM
auth-pop3s.c Authentication by POP3S
auth-rad.c Authentication by RADIUS
+ auth-ldap.c Authentication by LDAP/LDAPS
comm-arp.c Communication with ARP
comm-ndp.c Communication with NDP
comm-auth.c Communication with authentication systems
<?xml version="1.0"?>
-<Opengate ConfigVersion="1.4.10">
+<Opengate ConfigVersion="1.4.11">
<!-- #################################################
# ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->
- <!-- opengate gateway server hostname(FQDN or IP address) -->
+ <!-- #########################################################
+ ## Opengate gateway server hostname(FQDN or IP address)## -->
<OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
- <!-- Authentication server -->
- <!-- The AuthServer format is documented at the end of this file -->
+ <!-- ############################################
+ ## Authentication server ##
+ ## REFER document at the end of this file ## -->
<AuthServer>
<Address>192.168.0.2</Address>
<!-- ###################################################
# if you want to switch parameters with userID or extraID
# (entered by user as [userID@extraID] in auth page),
-# see the information of ExtraSet at the end of this file.
+# REFER the information of ExtraSet at the end of this file.
# ################################################### -->
+ <!-- Debug dump level -->
<!-- Set 0 to write only open/close and error messages to syslog -->
<!-- Set 1 to write some information adding to 0 -->
<!-- Set 2 to write many information to syslog -->
<!-- If no connection with java/http, network is closed after this. -->
<Duration>
<Default>1200</Default>
- <Max>10800</Max>
+ <Max>3600</Max>
</Duration>
<!-- Client Live Check (seconds) -->
<!-- communication reply timeout(second) -->
<CommWaitTimeout>10</CommWaitTimeout>
+ <!-- Java connection timeout(second) -->
+ <JavaWaitTimeout>600</JavaWaitTimeout>
+
<!-- http reconnect timeout(second) -->
<ReconnectTimeout>10</ReconnectTimeout>
<!-- Separate char between userID and extraID [userID@extraID] -->
<UserIdSeparator>@</UserIdSeparator>
+ <!-- Config for exceptional users, See below -->
+<!--
+ <ExtraSet ExtraId="guest">
+ <AuthServer>
+ <Address>192.168.0.1</Address>
+ <Protocol>ftp</Protocol>
+ </AuthServer>
+ </ExtraSet>
+-->
+
+</Opengate>
+
<!-- ##########################################################
# #### ExtraSet overwritten on default settings ####
#
#
# Word "default" is set to extraID, when extraID is not entered.
# #######################################################
--->
-
-<!--
+#
# <ExtraSet ExtraId="guest">
# <AuthServer>
# <Address>192.168.0.1</Address>
-# <Protocol>pop3s</Protocol>
+# <Protocol>ftp</Protocol>
# </AuthServer>
# <Duration>
# <Default>1200</Default>
# <Max>1200</Max>
# </Duration>
# </ExtraSet>
--->
-<!--
+#
# <ExtraSet ExtraId="admin">
# <AuthServer>
# <Protocol>pam</Protocol>
# </AuthServer>
# </ExtraSet>
--->
-<!--
+#
# <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">
# <Syslog>
# <Enable>1</Enable>
# <Facility>local2</Facility>
# </Syslog>
# </ExtraSet>
--->
-</Opengate>
-
-
-
-<!-- ###################################################
+#
+#
+#
+# ###################################################
# ######Documentation about AuthServer setting ######
#
# ########### Format #############
# # Auth by RADIUS
# # If not define <ConfigFile>, "/etc/radius.conf" is used.
#
-# #### TYPE 4 (ACCEPT or DENY) ####
+# #### TYPE 4 (LDAP) ####
+# <AuthServer>
+# <Protocol>ldap</Protocol>
+# <Uri>-uri-of-ldap-server-</Uri>
+# <BaseDN>-ldap_base_dn_to_search-</BaseDN>
+# </AuthServer>
+# # Auth by LDAP/LDAPS
+# # Uri examples
+# # 'ldap://foo.bar.com' for NonSSL
+# # 'ldaps://foo.bar.com' for SSL
+# # 'ldaps://foo.bar.com:1234' to use specific port
+#
+# #### TYPE 5 (ACCEPT or DENY) ####
# <AuthServer>
# <Protocol>{accept|deny}</Protocol>
# </AuthServer>
# <AuthServer>
# <Address>pop.saga-u.ac.jp</Address>
# <Protocol>pop3s</Protocol>
-# <Port>10000</Port>
+# </AuthServer>
+#
+# <AuthServer>
+# <Protocol>ldap</Protocol>
+# <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
+# <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
# </AuthServer>
#
# <AuthServer>
<DD>\r
Change parameter's name and value in config file.\r
</DD>\r
+<DT>\r
+Ver.1.4.11 at 2007.2.2</DT>\r
+<DD>\r
+Add ldap/ldaps authentication. Fix mulfunction in exceptional terminals.\r
+</DD>\r
\r
</DL>\r
<b>Please see CVS in SourceForge.net to check the file difference between versions.</b>\r
<!-- ************ 2 ************** -->\r
<h4>D.2 Setup of DHCP<A class=anchor href="#dhcp2" name=dhcp2>\81õ</A></h4>\r
\r
-<p>There is a configuration file "/usr/local/etc/dhcpd.conf.sample" after instalation. Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file. Following is a setting example.</p>\r
+<p>There is a configuration file "/usr/local/etc/dhcpd.conf.sample" after instalation. Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file. Following is a setting example. The lease time must be greater than the maximum usage duration (Duration/Max in opengatesrv.conf) used at sellecting time watching mode.</p>\r
\r
\r
<table><tr><td><pre>\r
option broadcast-address 192.168.1.255;\r
option routers 192.168.1.1;\r
\r
-default-lease-time 600;\r
-max-lease-time 7200;\r
+default-lease-time 86400;\r
+max-lease-time 604800;\r
ddns-update-style none;\r
log-facility local7;\r
\r
\r
<p>\r
\83C\83\93\83X\83g\81[\83\8b\8dì\8bÆ\82ª\8a®\97¹\82·\82é\82Æ\81A/usr/local/etc\88È\89º\82Édhcpd.conf.sample\82ª\90¶\90¬\82³\82ê\82Ä\82¢\82é\81B\93¯\83f\83B\83\8c\83N\83g\83\8a\82Édhcpd.conf\82Æ\82µ\82Ä\83R\83s\81[\82µ\81Adhcpd\97p\82Ì\90Ý\92è\83t\83@\83C\83\8b\82ð\8dì\90¬\82·\82é\81B</p>\r
-<p>\88È\89º\82É\81A\90Ý\92è\97á\82ð\8e¦\82·\81B</p>\r
+<p>\88È\89º\82É\81A\90Ý\92è\97á\82ð\8e¦\82·\81B\83\8a\81[\83X\8e\9e\8aÔ\82Í\81A\8e\9e\8aÔ\8aÄ\8e\8b\82Ì\8fê\8d\87\82É\8eg\82¤\8b\96\97e\8dÅ\91å\8e\9e\8aÔ\81iopengatesrv.conf\93à\82ÌDuration/Max\81j\82æ\82è\92·\82\82·\82é\82±\82Æ\81B</p>\r
\r
<table><tr><td><pre>\r
option domain-name "og.saga-u.ac.jp";\r
option broadcast-address 192.168.1.255;\r
option routers 192.168.1.1;\r
\r
-default-lease-time 600;\r
-max-lease-time 7200;\r
+default-lease-time 86400;\r
+max-lease-time 604800;\r
ddns-update-style none;\r
log-facility local7;\r
\r
<hr />
<p>If yellow bar is not displayed between above two lines, please click <a href="%%TERMINATEURL%%"><b>TERMINATE</b></a>
-and close your browser.
+and close your browser. If authentication page is not displayed, access to other web page.</p>
<SCRIPT LANGUAGE="JavaScript">
<!--
<p>If yellow bar is not displayed between above two lines, Java does not run.
In this case, please click <a href="%%TERMINATEURL%%"><b>TERMINATE</b></a>,
close your browser, and try to select other watch mode in authentication page.
-Or you can run Java, if you download JavaPlugIn from <a href=http://java.com/ja/index.jsp><b>java.com</b></a>.</p>
+Or you can run Java, if you download JavaPlugIn from <a href=http://java.com/ja/index.jsp><b>java.com</b></a>.If authentication page is not displayed, access to other web page.</p>
<script language="JavaScript">
<p>When you finish to use the network, click the link:
<a href="%%TERMINATEURL%%">TERMINATE</a> for security.</p>
<p>Please use this method only when other watch modes cannot be used.</p>
-
+<p>If authentication page is not displayed, access to other web page.</p>
<script language="JavaScript">
<!--
window.open("%%STARTURL%%","window1");
or other malfunction is occured,
click <a href="%%TERMINATEURL%%"><b>TERMINATE</b></a>,
close your browser, and try to select other watch mode
- in authentication page.</p>
+ in authentication page.
+If authentication page is not displayed, access to other web page.</p>
<table bgcolor="lightyellow" border="1">
<tr><td>
<p>\e$B>e$N\e(B2\e$BK\$N@~$N4V$K2+?'$N%P!<$,I=<($5$l$J$$>l9g!"\e(B
<a href="%%TERMINATEURL%%"><b>\e$BMxMQCfCG\e(B</b></a>\e$B$r%/%j%C%/$7$F$+$i\e(B
-\e$B%V%i%&%6$r=*N;$7$F$/$@$5$$!#\e(B
+\e$B%V%i%&%6$r=*N;$7$F$/$@$5$$!#$^$?G'>Z%Z!<%8$,I=<($5$l$J$$>l9g$O!"\e(B
+\e$BDL>o$H$OJL$N%Z!<%8$r%"%/%;%9$7$F$_$F$/$@$5$$!#\e(B
+
<script language="JavaScript">
<!--
\e$B%V%i%&%6$r=*N;$7$?8e!"G'>Z%Z!<%8$K$*$$$FB>$N4F;kJ}<0$rA*Br$7$F$/$@$5$$!#\e(B
\e$B$^$?$O!"\e(B<a href=http://java.com/ja/index.jsp><b>java.com</b></a>
\e$B$+$i\e(BJavaPlugIn\e$B$r%@%&%s%m!<%I$9$l$P!"\e(BJava\e$B$rF0$+$9$3$H$,$G$-$^$9!#\e(B
+\e$B$^$?G'>Z%Z!<%8$,I=<($5$l$J$$>l9g$O!"\e(B
+\e$BDL>o$H$OJL$N%Z!<%8$r%"%/%;%9$7$F$_$F$/$@$5$$!#\e(B
<script language="JavaScript">
<!--
<p>\e$B0BA4$N$?$a$K!"MxMQ=*N;;~$K$O!"\e(B<a href="%%TERMINATEURL%%">
<b>\e$BMxMQCfCG\e(B</b></a>\e$B$r%/%j%C%/$7$F$/$@$5$$!#\e(B</p>
<p>\e$B$3$NJ}K!$O!"B>$N4F;kJ}K!$,;HMQ$G$-$J$$>l9g$K$N$_MxMQ$7$F2<$5$$!#\e(B</p>
+<p>\e$BG'>Z%Z!<%8$,I=<($5$l$J$$>l9g$O!"\e(B
+\e$BDL>o$H$OJL$N%Z!<%8$r%"%/%;%9$7$F$_$F$/$@$5$$!#\e(B</p>
<script language="JavaScript">
<!--
<p>\e$B%M%C%H%o!<%/$rMxMQ$G$-$^$9!#\e(B</p>
-<p>\e$BMxMQ$,=*$C$?$iI,$:\e(BWeb\e$B%V%i%&%6$r=*N;$7$F$/$@$5$$!#%M%C%H%o!<%/MxMQ5v2D$b<+F0E*$K<h$j>C$5$l$^$9!#\e(B</p>
+<p>\e$BMxMQ$,=*$C$?$iI,$:\e(BWeb\e$B%V%i%&%6$r=*N;$7$F$/$@$5$$!#\e(B
+\e$B%M%C%H%o!<%/MxMQ5v2D$b<+F0E*$K<h$j>C$5$l$^$9!#\e(B</p>
<noscript>
<p><b>JavaScript\e$B$,L58z$K@_Dj$5$l$F$$$^$9!#JQ99$7$F2<$5$$!#\e(B</b></p>
</noscript>
<p>\e$B>e$N\e(B2\e$BK\$N@~$N4V$K2+?'$N%P!<$,I=<($5$l$J$+$C$?$j%M%C%H%o!<%/$,JD:?$5$l$k\e(B
\e$B$J$IF0:n$,$*$+$7$$>l9g$O!"\e(B<a href="%%TERMINATEURL%%"><b>\e$BMxMQCfCG\e(B
-</b></a>\e$B$r%/%j%C%/$7$F%V%i%&%6$r=*N;$7$?8e!"G'>Z%Z!<%8$K$*$$$FB>$N4F;k\e(B
-\e$BJ}<0$rA*Br$7$F$/$@$5$$!#\e(B
+</b></a>\e$B$r%/%j%C%/$7$F%V%i%&%6$r=*N;$7$?8e!"G'>Z%Z!<%8$K$*$$$F\e(B
+\e$BB>$N4F;kJ}<0$rA*Br$7$F$/$@$5$$!#\e(B
+\e$B$^$?G'>Z%Z!<%8$,I=<($5$l$J$$>l9g$O!"\e(B
+\e$BDL>o$H$OJL$N%Z!<%8$r%"%/%;%9$7$F$_$F$/$@$5$$!#\e(B
</p>
<table bgcolor="lightyellow" border="1">
DOCDIR = /data
CGIDIR = /cgi-bin
OPENGATEDIR = /opengate
+CONFIGPATH = /etc/opengate
DOCUMENTROOT = ${WWWTOP}${DOCDIR}
INSTALLDOCPATH = ${WWWTOP}${DOCDIR}${OPENGATEDIR}
INSTALLCGIPATH = ${WWWTOP}${CGIDIR}${OPENGATEDIR}
-CONFIGPATH = /etc/opengate
-
CFLAGS= -O4 -Wall
-LIBS = -lssl -lcrypto -lradius -lpam -lezxml -L../ezxml
-OBJS = utilities.o comm-auth.o comm-cgi.o watch-client.o comm-ipfw.o comm-ip6fw.c comm-arp.o comm-ndp.o error.o tcp_connect.o sock_ntop_host.o wrapper.o signal.o auth-pam.o auth-rad.o auth-pop3s.o comm-userdb.o get-param.o auth-ftps.o htmltemplate.o addr-convert.o get-mac.o ctrl-firewall.o ctrl-alarms.o
+LIBS = -lssl -lcrypto -lradius -lpam -lldap -llber -lezxml -L/usr/local/lib -L../ezxml
+OBJS = utilities.o comm-auth.o comm-cgi.o watch-client.o comm-ipfw.o comm-ip6fw.c comm-arp.o comm-ndp.o error.o tcp_connect.o sock_ntop_host.o wrapper.o signal.o auth-pam.o auth-rad.o auth-pop3s.o comm-userdb.o get-param.o auth-ftps.o auth-ldap.o htmltemplate.o addr-convert.o get-mac.o ctrl-firewall.o ctrl-alarms.o
MAINPROGO = main.o
HDRS = opengatesrv.h
MAINPROG = opengatesrv
auth-pop3s.o: ${HDRS}
+auth-ftps.o: ${HDRS}
+
+auth-ldap.o: ${HDRS}
+.if exists(/usr/local/include/ldap.h)
+ ${CC} ${CFLAGS} -I/usr/local/include -c $<
+.else
+ ${CC} ${CFLAGS} -DLDAP_NOT_INSTALLED -c $<
+.endif
+
get-param.o: ${HDRS}
get-mac.o: ${HDRS}
int AuthFtpse(char *userid, char *passwd);
int authFtpsi(char *userid, char *passwd);
int AuthFtpsi(char *userid, char *passwd);
+int authLdap(char *userid, char *passwd);
+int AuthLdap(char *userid, char *passwd);
/*******************************************************/
/* Authenticate user by accessing to ftp server */
/* authenticate by pop3s */
authResult=AuthPop3s(userid, passwd);
+ }else if(strcmp(proto, "ldap")==0){
+ /* authenticate by ldap */
+ authResult=AuthLdap(userid, passwd);
+
}else if(strcmp(proto, "ftpse")==0){
/* authenticate by ftps-explicit */
authResult=AuthFtpse(userid, passwd);
#include "opengatesrv.h"
#include "../ezxml/ezxml.h"
-#define CONFIG_VERSION "1.4.10"
+#define CONFIG_VERSION "1.4.11"
#define SEPARATOR "/"
int debug=0;
printf("Config file=[%s]\n",CONFIGFILE);
- /* get serverid, userid and password */
+ /* get extraid, userid and password */
+ /*
printf("Enter extraID=");
- scanf("%s", extraID);
+ scanf("%s\n", extraID);
+ */
printf("Enter userID=");
scanf("%s", userID);
printf("Enter password=");
int MacAddrCheck(int ipStatus,char *clientAddr4, char *clientAddr6, char *macAddr4, char *macAddr6);
int IsRightKey(char *pNowKey, char *sessionId);
void SendHttpReply(char *reply);
-void CheckAjaxAbility(char *buff, char *sessionId);
void OnUsageTimeLimitAlarm(int signo);
void OnCheckBasicAlarm(int signo);
char connectAddr[ADDRMAXLN]; /* connected client address */
char httpStr[BUFFMAXLN]; /* HTTP GET string at terminate */
char useridAndSessionId[BUFFMAXLN]; /* comcat userid and sessionid */
+ int timeSendHttpkeep=0;
+ int timeStart;
+
+ timeStart=time(NULL);
/* set alarm function arguments */
alarmArg.pClientAddr=pClientAddr;
/* start alarms */
EnableAlarm();
- /* connection wait */
- connfd = SelectAccept();
-
- /*at abnormal connect */
- if(connfd < 0) continue;
+ /* connection wait. retry at abnormal */
+ if((connfd = SelectAccept()) < 0 ){
+ Close(connfd);
+ continue;
+ }
/* at normal connection */
/* stop alarm interupt between checking */
DisableAlarm();
- /* is it from the correct client addr */
- /* the check is skipped for IPv6 */
+ /* is it from the correct client addr(the check is skipped for IPv6) */
if(ipType==IPV4 && ipStatus!=IPV6ONLY){
GetPeerAddr(connfd, connectAddr);
if(isNull(connectAddr)||strcmp(connectAddr, clientAddr4)!=0){
- connectMode=NOCONNECT;
Close(connfd);
continue;
}
AddAlarm("ReadWaitAlarm",atoi(GetConfValue("CommWaitTimeout")),
TRUE, OnReadWaitAlarm);
EnableAlarm();
+
/* get string from connection */
if(readln(connfd, buff, BUFFMAXLN) <0){
/* if abnormal, wait next request */
- connectMode=NOCONNECT;
Close(connfd);
continue;
}
RemoveAlarm("ReadWaitAlarm");
-
- /* is it the correct userid from java applet */
+
+ /* is it the correct request from java applet */
/* the request is [<userid>:<sessionId>] */
snprintf(useridAndSessionId, BUFFMAXLN, "%s-%s", userid,sessionId);
if(strcmp(buff, useridAndSessionId)==0){
- /* enter to the Java watch mode on the connection */
+ /* if too late request, ingore */
+ if((time(NULL)-timeStart) > atoi(GetConfValue("JavaWaitTimeout"))){
+ Close(connfd);
+ continue;
+ }
+
+ /* enter to the Java watch mode on the connection keeped */
connectMode=JAVACONNECT;
break;
}
/* is it the httpkeep page download request */
/* the request is [GET /httpkeep.html ....] */
snprintf(httpStr, BUFFMAXLN, "GET /httpkeep-%s-%s", userid,sessionId);
-
if(strstr(buff, httpStr)==buff){
- /* page download request found */
/* read out the remained headers and send the page */
ReadHttpHeaders();
SendHttpKeepPage(userid, sessionId, language, port);
+ timeSendHttpkeep=time(NULL);
- /* to check ajax ability, wait XMLHttpRequest for a while */
- CheckAjaxAbility(buff, sessionId);
+ /* return to wait next request (that night be GET /hello) */
+ Close(connfd);
+ continue;
+ }
+ /* is it hello request from javascript in httpkeep.html */
+ if(strstr(buff, "GET /hello-")==buff){
+
+ /* read out the remained headers */
+ ReadHttpHeaders();
+
+ /* if the request is premature or too late, ignore */
+ if((timeSendHttpkeep == 0)||
+ (time(NULL)-timeSendHttpkeep)> atoi(GetConfValue("CommWaitTimeout"))){
+ Close(connfd);
+ continue;
+ }
+
+ /* if received key is incorrect, exit */
+ /* [GET /hello-key1-key2 ..] */
+ if( IsRightKey(buff+strlen("GET /hello-"), sessionId)==FALSE){
+ connectMode=ENDCONNECT;
+ Close(connfd);
+ break;
+ }
+
+ /* enter to the Http watch mode on the connection keeped(not close) */
+ /* reply to the hello request is done in the watch routine */
+ connectMode=HTTPCONNECT;
break;
}
break;
}
- /* some other unknown request */
- err_msg("ERR at %s#%d: unknown request [%s] sent from client",
- __FILE__,__LINE__,buff);
- connectMode=NOCONNECT;
+ /* other request is ignored */
Close(connfd);
-
continue;
}
return connectMode;
}
-/***************************************/
-/* check ajax ability */
-/* read hello sent by XMLhttpRequest */
-/* (reply is delayed) */
-/* check result is set in connectMode */
-/***************************************/
-void checkAjaxAbility(char *buff, char *sessionId)
-{
-
- /* to check the ajax ablility of the client, wait ajax request */
- AddAlarm("AjaxWaitAlarm",atoi(GetConfValue("CommWaitTimeout")),
- TRUE, OnAjaxWaitAlarm);
- EnableAlarm();
-
- /* read wait for ajax request in the connection */
- while(1){
- if(readln(connfd, buff, BUFFMAXLN) <0){
-
- /* if timeout, no ajax ability */
- /* java might be connected */
- connectMode=NOCONNECT;
- Close(connfd);
- break;
- }
-
- /* recieved normal request */
- RemoveAlarm("AjaxWaitAlarm");
- ReadHttpHeaders();
-
- /* usually, hello request is recieve */
- if(strstr(buff, "GET /hello-")==buff){
-
- /* if received hello-key is incorrect, exit */
- /* [GET /hello-key1-key2 ..] */
- if( IsRightKey(buff+strlen("GET /hello-"), sessionId)==FALSE){
- connectMode=ENDCONNECT;
- Close(connfd);
- break;
- }
-
- /* enter to the Http watch mode on the connection */
- connectMode=HTTPCONNECT;
- break;
- }
- /* or some request might be inserted. eg:[GET /favicon.ico] */
- /* ignore it */
- else{
- SendHttpReply("");
- continue;
- }
- }
-}
-
/****************************/
/* wait for TCP connection */
/****************************/
/* connection wait */
connfd = SelectAccept();
- if(connfd<0){
- /* abnormal return from selectAccept */
- if(errno==EINTR){ /* timeout interupt */
- err_msg("ERR at %s#%d: http reconnect timeout",
- __FILE__,__LINE__);
- connectMode=ENDCONNECT;
- }else{ /* other errors */
- err_msg("ERR: http reconnect error [%s]",strerror(errno));
- connectMode=ENDCONNECT;
- }
-
- }else{
- /* normal return from selectAccept */
- if(debug>0)err_msg("INFO: http reconnect after %d seconds",
- time(NULL)-startTime);
- connectMode=HTTPCONNECT;
- }
+ if(connfd<0) connectMode=ENDCONNECT; /* timeout or abnormal */
+ else connectMode=HTTPCONNECT; /* reconnected */
/* receive request */
RemoveAlarm("ReadWaitAlarm");
if(debug>1) err_msg("DEBUG:<=sendHttpReply()");
}
-void CheckAjaxAbility(char *buff, char *sessionId){
- if(debug>1) err_msg("DEBUG:=>checkAjaxAbility(%s,%s)",buff,sessionId);
- checkAjaxAbility(buff,sessionId);
- if(debug>1) err_msg("DEBUG:<=checkAjaxAbility()");
-}
+
+