/*  This Pipe filter that will create an LDAP call to verify the
    user's account and password. The
    results (either accepted or not accepted) is passed onto the invoker
    via the return code.  This filter was written for use with the
    EnterpriseWeb product as a security exit.
    It expects the parameters to be the userid and password to be
    validated.  If the LDAP server accepts these, then the RC=0.
    If they are not accepted, then it returns RC=403, access forbidden.
    The web server will also accept RC=401, which rechallenges the client
    for a different password.  According to Beyond Software, the server
    will invoke the exit first with a null argument.  The exit must return
    RC=401 so that the browser will prompt the user for the username
    and password.  The exit will then be invoked a second time with the
    user supplied data.
 
    This variation of the original exit EWXLDPR, rejects anyone
    who does not have an LDAP employeetype of STUDENT.
 
    Written by Martha McConaghy 11/07/05
 
*/
trace o
parse arg Userid ':' Passw .
/*  address command 'CP MSG URMM ON SERVER' userid() */
 
/*  Must do this to generate initial prompt for login*/
if(1>length(Userid)) then exit 401
 
Emp_type = 'STUDENT'
'CALLPIPE var Passw|spec 1.8 1|var Passw'
Retry = 3
address command 'GLOBAL LOADLIB SCEERUN'
if(RC^=0) then do
   say 'Unable to load SCEERUN to invoke LDAP program'
   exit 403
end;
 
do while Retry > 0
   Retry = Retry - 1
   call GetUnID
   if(0^=Result) then iterate
   call VerifyPW
   select
       when(Result>100) then exit 403
       when(Result=10) then do               /* LDAP call timed out*/
          if(Retry>0) then iterate
          else exit 403
          end;
       when(Result=7) then exit 403        /* Invalid userid or PW*/
       otherwise nop
   end;
 
exit RC
 
GetUnID:
   /* Step one, get the uniqueidentifier for the user */
    cmd = '/ldap/ldap-3.3/clients/tools/ldapsearch'
    ip = '-h web390.marist.edu'
    base = '-b "o=marist"'
 
    auth = '-D "o=marist" -w "mf1x3624"'
    field = 'UNIQUEIDENTIFIER'
    filter = '"UID='Userid'"'
    'CALLPIPE cms OPENVM RUN ' cmd ip base auth filter field '|' ,
        'drop 1|' ,
        'spec fs = f2 1|' ,
        'var UniqID'
    if('NUM'^=datatype(UniqID)) then do
        say 'No LDAP record returned for:' Userid
        return 5
    end;
return 0
 
VerifyPW:
 
/* Step 2 is to try and do a search using the Uniqueidentifier and
   the password given by the user.  If they go together, then LDAP
   will return the UIDs assigned to this person.  If they are not
   valid, or do not match each other, then LDAP will return
   invalid credentials response.
*/
 
   auth = '-D "uniqueidentifier='UniqID',o=marist" -w "'Passw'"'
   filter = '"UID='Userid'"'
   Field = 'EMPLOYEETYPE'
   'CALLPIPE cms OPENVM RUN ' cmd ip base auth filter field '|' ,
       'stem Types.|' ,
       'take 1|' ,
       'spec words 1-2 1|' ,
       'var Chk_return'
   select
       when (0<find(Chk_return,'Invalid')) then do
          say 'Invalid login supplied for:' Userid
          return 7
          end;
       when(0<find(Chk_return,'Host')) then do
          say 'Connection to LDAP timed out'
          return 10
          end;
       when(RC^=0) then do
          say 'Unexpected error from OPENVM:' RC
          return 12
          end;
       otherwise nop
   end;
 
   /* Check for the required employee type.  If no match, reject */
   'CALLPIPE stem Types.|' ,
             'drop 1|',
             'spec fs = f2 1|',
             'join * / /|' ,
             'var Ret_types'
   if(0=find(Ret_types,Emp_type))
        then return 403
   return 0