View | Details | Raw Unified | Return to bug 40075
Collapse All | Expand All

(-)mod_authnz_ldap.c- (-9 / +29 lines)
Lines 73-78 Link Here
73
                                        it's the exact string passed by the HTTP client */
73
                                        it's the exact string passed by the HTTP client */
74
74
75
    int secure;                     /* True if SSL connections are requested */
75
    int secure;                     /* True if SSL connections are requested */
76
    int require_dn;                  /* Off means it's OK if the user has no DN */
76
} authn_ldap_config_t;
77
} authn_ldap_config_t;
77
78
78
typedef struct {
79
typedef struct {
Lines 85-90 Link Here
85
86
86
struct mod_auth_ldap_groupattr_entry_t {
87
struct mod_auth_ldap_groupattr_entry_t {
87
    char *name;
88
    char *name;
89
    char *type;
88
};
90
};
89
91
90
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
92
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
Lines 295-300 Link Here
295
    sec->deref = always;
297
    sec->deref = always;
296
    sec->group_attrib_is_dn = 1;
298
    sec->group_attrib_is_dn = 1;
297
    sec->auth_authoritative = 1;
299
    sec->auth_authoritative = 1;
300
    sec->require_dn = 1;
298
301
299
/*
302
/*
300
    sec->frontpage_hack = 0;
303
    sec->frontpage_hack = 0;
Lines 522-529 Link Here
522
#endif
525
#endif
523
        grp = apr_array_push(sec->groupattr);
526
        grp = apr_array_push(sec->groupattr);
524
        grp->name = "member";
527
        grp->name = "member";
528
	grp->type = NULL;
525
        grp = apr_array_push(sec->groupattr);
529
        grp = apr_array_push(sec->groupattr);
526
        grp->name = "uniquemember";
530
        grp->name = "uniquemember";
531
	grp->type = NULL;
527
#if APR_HAS_THREADS
532
#if APR_HAS_THREADS
528
        apr_thread_mutex_unlock(sec->lock);
533
        apr_thread_mutex_unlock(sec->lock);
529
#endif
534
#endif
Lines 560-566 Link Here
560
             sec->scope, sec->attributes, filtbuf, &dn, &vals);
565
             sec->scope, sec->attributes, filtbuf, &dn, &vals);
561
566
562
        /* Search failed, log error and return failure */
567
        /* Search failed, log error and return failure */
563
        if(result != LDAP_SUCCESS) {
568
        if((result != LDAP_SUCCESS) && (sec->require_dn)) {
564
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
569
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
565
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
570
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
566
            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
571
            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
Lines 685-697 Link Here
685
                          getpid(), t);
690
                          getpid(), t);
686
691
687
            for (i = 0; i < sec->groupattr->nelts; i++) {
692
            for (i = 0; i < sec->groupattr->nelts; i++) {
688
                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
693
		result = 0;
689
                              "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
690
                              "testing for %s: %s (%s)", getpid(),
691
                              ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
692
694
693
                result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
695
		if (ent[i].type == NULL) {
694
                                     sec->group_attrib_is_dn ? req->dn : req->user);
696
		    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
697
				  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
698
				  "testing for %s: %s (%s)", getpid(),
699
				  ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
700
		    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
701
					 sec->group_attrib_is_dn ? req->dn : req->user);
702
		} else if (req->dn != NULL && strcasecmp(ent[i].type, "dn") == 0) {
703
		    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
704
				  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
705
				  "testing for %s: %s (%s)", getpid(),
706
				  ent[i].name, req->dn, t);
707
		    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->dn);
708
		}
695
                switch(result) {
709
                switch(result) {
696
                    case LDAP_COMPARE_TRUE: {
710
                    case LDAP_COMPARE_TRUE: {
697
                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
711
                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Lines 970-976 Link Here
970
    return NULL;
984
    return NULL;
971
}
985
}
972
986
973
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
987
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg, const char *arg2)
974
{
988
{
975
    struct mod_auth_ldap_groupattr_entry_t *new;
989
    struct mod_auth_ldap_groupattr_entry_t *new;
976
990
Lines 981-986 Link Here
981
995
982
    new = apr_array_push(sec->groupattr);
996
    new = apr_array_push(sec->groupattr);
983
    new->name = apr_pstrdup(cmd->pool, arg);
997
    new->name = apr_pstrdup(cmd->pool, arg);
998
    new->type = apr_pstrdup(cmd->pool, arg2);
984
999
985
    return NULL;
1000
    return NULL;
986
}
1001
}
Lines 1044-1050 Link Here
1044
                 "(at the expense of possible false matches). See the documentation for "
1059
                 "(at the expense of possible false matches). See the documentation for "
1045
                 "a complete description of this option."),
1060
                 "a complete description of this option."),
1046
1061
1047
    AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
1062
    AP_INIT_TAKE12("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
1048
                    "A list of attributes used to define group membership - defaults to "
1063
                    "A list of attributes used to define group membership - defaults to "
1049
                    "member and uniquemember"),
1064
                    "member and uniquemember"),
1050
1065
Lines 1054-1059 Link Here
1054
                 "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
1069
                 "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
1055
                 "provided by the client directly. Defaults to 'on'."),
1070
                 "provided by the client directly. Defaults to 'on'."),
1056
1071
1072
    AP_INIT_FLAG("AuthzLDAPRequireDN", ap_set_flag_slot,
1073
                 (void *)APR_OFFSETOF(authn_ldap_config_t, require_dn), OR_AUTHCFG,
1074
                 "If set to 'on', auth_ldap requires a user to have a DN. If set to 'off' "
1075
                 "the user does not need to have an entry in LDAP. Defaults to 'on'."),
1076
1057
    AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
1077
    AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
1058
                  "Determines how aliases are handled during a search. Can bo one of the"
1078
                  "Determines how aliases are handled during a search. Can bo one of the"
1059
                  "values \"never\", \"searching\", \"finding\", or \"always\". "
1079
                  "values \"never\", \"searching\", \"finding\", or \"always\". "

Return to bug 40075