--- httpd-2.0.51/modules/experimental/mod_auth_ldap.c-dist 2004-05-22 01:39:41.000000000 +0200 +++ httpd-2.0.51/modules/experimental/mod_auth_ldap.c 2004-09-21 23:40:53.728681000 +0200 @@ -161,6 +161,83 @@ /* + * + * Read per directory module config, and substitute for variables in binddn and bindpw + * This is just a wrapper around the call to + * ap_get_module_config(r->per_dir_config, &auth_ldap_module); + * + * If the binddn and bindpw set by the AuthLDAPBindDN and AuthLDAPBindPassword directives + * contain $USER and $PASSWORD then substitute these with the browser supplied user/pass, + * otherwise just return the mod_auth_ldap_config_t. + * + */ +#define BIND_USER "$USER" +#define BIND_PASSWD "$PASSWORD" +static mod_auth_ldap_config_t *auth_ldap_get_per_dir_module_config(request_rec *r) +{ + const char *sent_pw; + int bad_sent_pw = 0; + + char *bind_user; /* set to start of BIND_USER if binddn requires username subst */ + + int doSubst = 0; /* set to true if we have values to substitute */ + + mod_auth_ldap_config_t *s = + (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module); + + /* check client sent a username and a password */ + if ( ! r->user ) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + " : Client sent no username", + getpid()); + /* Substitute for client supplied USER in binddn if directory configured for BIND_USER + * eg. if "AuthLDAPBindDN uid=$USER,ou=people,l=lon,c=gb,o=dis" + * send binddn to "uid=,ou=people,l=lon,c=gb,o=dis" + */ + } else { + if ((s->binddn) && ((bind_user = strstr(s->binddn, BIND_USER)) !=NULL)) { + char *attr; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + ": binddn %s", + getpid(), s->binddn); + attr = apr_pstrndup(r->pool, s->binddn, bind_user - s->binddn); + s->binddn = apr_pstrcat(r->pool, attr, r->user, bind_user + strlen(BIND_USER), NULL ); + doSubst++; + } + } + + if ((bad_sent_pw = ap_get_basic_auth_pw(r, &sent_pw))) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap_get_per_dir_module_config() auth_ldap authenticate: " + "ap_get_basic_auth_pw() returns %d", getpid(), bad_sent_pw); + + /* set bindpw to client suppled password if directory configured for bindpw + to BIND_PASSWD */ + } else { + if ( s->bindpw && strcmp(s->bindpw, BIND_PASSWD) ==0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap authenticate: auth_ldap_get_per_dir_module_config()" + ": bindpw USER SUPPLIED", + getpid()); + s->bindpw = (char *)sent_pw; + doSubst++; + } + } + + if (doSubst) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, + "[%d] auth_ldap_get_per_dir_module_config() : SUBST", + getpid()); + + ap_set_module_config(r->per_dir_config, &auth_ldap_module, s); + } + + return s; +} + +/* * Build the search filter, or at least as much of the search filter that * will fit in the buffer. We don't worry about the buffer not being able * to hold the entire filter. If the buffer wasn't big enough to hold the @@ -269,7 +346,7 @@ const char **vals = NULL; char filtbuf[FILTER_LENGTH]; mod_auth_ldap_config_t *sec = - (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module); + (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r); util_ldap_connection_t *ldc = NULL; const char *sent_pw; @@ -409,8 +486,7 @@ (mod_auth_ldap_request_t *)ap_get_module_config(r->request_config, &auth_ldap_module); mod_auth_ldap_config_t *sec = - (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, - &auth_ldap_module); + (mod_auth_ldap_config_t *)auth_ldap_get_per_dir_module_config(r); util_ldap_connection_t *ldc = NULL; int m = r->method_number;