ASF Bugzilla – Attachment 18619 Details for
Bug 40075
unable to use ldap groups that contain DNs and usernames for AuthZ
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch Available - allows mixed dn/userid groups for AuthZ
mod_authnz_ldap-UMICH.diff (text/plain), 4.74 KB, created by
johanna bromberg craig
on 2006-07-19 18:04:02 UTC
(
hide
)
Description:
Patch Available - allows mixed dn/userid groups for AuthZ
Filename:
MIME Type:
Creator:
johanna bromberg craig
Created:
2006-07-19 18:04:02 UTC
Size:
4.74 KB
patch
obsolete
>--- mod_authnz_ldap.c- 2006-06-15 14:45:45.000000000 -0400 >+++ mod_authnz_ldap.c 2006-07-17 17:42:09.000000000 -0400 >@@ -73,6 +73,7 @@ > it's the exact string passed by the HTTP client */ > > int secure; /* True if SSL connections are requested */ >+ int require_dn; /* Off means it's OK if the user has no DN */ > } authn_ldap_config_t; > > typedef struct { >@@ -85,6 +86,7 @@ > > struct mod_auth_ldap_groupattr_entry_t { > char *name; >+ char *type; > }; > > module AP_MODULE_DECLARE_DATA authnz_ldap_module; >@@ -295,6 +297,7 @@ > sec->deref = always; > sec->group_attrib_is_dn = 1; > sec->auth_authoritative = 1; >+ sec->require_dn = 1; > > /* > sec->frontpage_hack = 0; >@@ -522,8 +525,10 @@ > #endif > grp = apr_array_push(sec->groupattr); > grp->name = "member"; >+ grp->type = NULL; > grp = apr_array_push(sec->groupattr); > grp->name = "uniquemember"; >+ grp->type = NULL; > #if APR_HAS_THREADS > apr_thread_mutex_unlock(sec->lock); > #endif >@@ -560,7 +565,7 @@ > sec->scope, sec->attributes, filtbuf, &dn, &vals); > > /* Search failed, log error and return failure */ >- if(result != LDAP_SUCCESS) { >+ if((result != LDAP_SUCCESS) && (sec->require_dn)) { > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > "auth_ldap authorise: User DN not found, %s", ldc->reason); > return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED; >@@ -685,13 +690,22 @@ > getpid(), t); > > for (i = 0; i < sec->groupattr->nelts; i++) { >- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, >- "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " >- "testing for %s: %s (%s)", getpid(), >- ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); >+ result = 0; > >- result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, >- sec->group_attrib_is_dn ? req->dn : req->user); >+ if (ent[i].type == NULL) { >+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, >+ "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " >+ "testing for %s: %s (%s)", getpid(), >+ ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); >+ result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, >+ sec->group_attrib_is_dn ? req->dn : req->user); >+ } else if (req->dn != NULL && strcasecmp(ent[i].type, "dn") == 0) { >+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, >+ "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: " >+ "testing for %s: %s (%s)", getpid(), >+ ent[i].name, req->dn, t); >+ result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->dn); >+ } > switch(result) { > case LDAP_COMPARE_TRUE: { > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, >@@ -970,7 +984,7 @@ > return NULL; > } > >-static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg) >+static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg, const char *arg2) > { > struct mod_auth_ldap_groupattr_entry_t *new; > >@@ -981,6 +995,7 @@ > > new = apr_array_push(sec->groupattr); > new->name = apr_pstrdup(cmd->pool, arg); >+ new->type = apr_pstrdup(cmd->pool, arg2); > > return NULL; > } >@@ -1044,7 +1059,7 @@ > "(at the expense of possible false matches). See the documentation for " > "a complete description of this option."), > >- AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG, >+ AP_INIT_TAKE12("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG, > "A list of attributes used to define group membership - defaults to " > "member and uniquemember"), > >@@ -1054,6 +1069,11 @@ > "subsequent group comparisons. If set to 'off', auth_ldap uses the string" > "provided by the client directly. Defaults to 'on'."), > >+ AP_INIT_FLAG("AuthzLDAPRequireDN", ap_set_flag_slot, >+ (void *)APR_OFFSETOF(authn_ldap_config_t, require_dn), OR_AUTHCFG, >+ "If set to 'on', auth_ldap requires a user to have a DN. If set to 'off' " >+ "the user does not need to have an entry in LDAP. Defaults to 'on'."), >+ > AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG, > "Determines how aliases are handled during a search. Can bo one of the" > "values \"never\", \"searching\", \"finding\", or \"always\". "
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 40075
:
18619
|
19073
|
19182
|
19329