Attachment 18619 Details for Bug 40075 – Patch Available - allows mixed dn/userid groups for AuthZ

[patch] Patch Available - allows mixed dn/userid groups for AuthZ

mod_authnz_ldap-UMICH.diff (text/plain), 4.74 KB, created by johanna bromberg craig on 2006-07-19 18:04:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: johanna bromberg craig

Created: 2006-07-19 18:04:02 UTC

Size: 4.74 KB

patch

obsolete

>--- mod_authnz_ldap.c-	2006-06-15 14:45:45.000000000 -0400
>+++ mod_authnz_ldap.c	2006-07-17 17:42:09.000000000 -0400
>@@ -73,6 +73,7 @@
>                                         it's the exact string passed by the HTTP client */
> 
>     int secure;                     /* True if SSL connections are requested */
>+    int require_dn;                  /* Off means it's OK if the user has no DN */
> } authn_ldap_config_t;
> 
> typedef struct {
>@@ -85,6 +86,7 @@
> 
> struct mod_auth_ldap_groupattr_entry_t {
>     char *name;
>+    char *type;
> };
> 
> module AP_MODULE_DECLARE_DATA authnz_ldap_module;
>@@ -295,6 +297,7 @@
>     sec->deref = always;
>     sec->group_attrib_is_dn = 1;
>     sec->auth_authoritative = 1;
>+    sec->require_dn = 1;
> 
> /*
>     sec->frontpage_hack = 0;
>@@ -522,8 +525,10 @@
> #endif
>         grp = apr_array_push(sec->groupattr);
>         grp->name = "member";
>+	grp->type = NULL;
>         grp = apr_array_push(sec->groupattr);
>         grp->name = "uniquemember";
>+	grp->type = NULL;
> #if APR_HAS_THREADS
>         apr_thread_mutex_unlock(sec->lock);
> #endif
>@@ -560,7 +565,7 @@
>              sec->scope, sec->attributes, filtbuf, &dn, &vals);
> 
>         /* Search failed, log error and return failure */
>-        if(result != LDAP_SUCCESS) {
>+        if((result != LDAP_SUCCESS) && (sec->require_dn)) {
>             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>                 "auth_ldap authorise: User DN not found, %s", ldc->reason);
>             return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
>@@ -685,13 +690,22 @@
>                           getpid(), t);
> 
>             for (i = 0; i < sec->groupattr->nelts; i++) {
>-                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>-                              "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
>-                              "testing for %s: %s (%s)", getpid(),
>-                              ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
>+		result = 0;
> 
>-                result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
>-                                     sec->group_attrib_is_dn ? req->dn : req->user);
>+		if (ent[i].type == NULL) {
>+		    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>+				  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
>+				  "testing for %s: %s (%s)", getpid(),
>+				  ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
>+		    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
>+					 sec->group_attrib_is_dn ? req->dn : req->user);
>+		} else if (req->dn != NULL && strcasecmp(ent[i].type, "dn") == 0) {
>+		    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>+				  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
>+				  "testing for %s: %s (%s)", getpid(),
>+				  ent[i].name, req->dn, t);
>+		    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->dn);
>+		}
>                 switch(result) {
>                     case LDAP_COMPARE_TRUE: {
>                         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>@@ -970,7 +984,7 @@
>     return NULL;
> }
> 
>-static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
>+static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg, const char *arg2)
> {
>     struct mod_auth_ldap_groupattr_entry_t *new;
> 
>@@ -981,6 +995,7 @@
> 
>     new = apr_array_push(sec->groupattr);
>     new->name = apr_pstrdup(cmd->pool, arg);
>+    new->type = apr_pstrdup(cmd->pool, arg2);
> 
>     return NULL;
> }
>@@ -1044,7 +1059,7 @@
>                  "(at the expense of possible false matches). See the documentation for "
>                  "a complete description of this option."),
> 
>-    AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
>+    AP_INIT_TAKE12("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
>                     "A list of attributes used to define group membership - defaults to "
>                     "member and uniquemember"),
> 
>@@ -1054,6 +1069,11 @@
>                  "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
>                  "provided by the client directly. Defaults to 'on'."),
> 
>+    AP_INIT_FLAG("AuthzLDAPRequireDN", ap_set_flag_slot,
>+                 (void *)APR_OFFSETOF(authn_ldap_config_t, require_dn), OR_AUTHCFG,
>+                 "If set to 'on', auth_ldap requires a user to have a DN. If set to 'off' "
>+                 "the user does not need to have an entry in LDAP. Defaults to 'on'."),
>+
>     AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
>                   "Determines how aliases are handled during a search. Can bo one of the"
>                   "values \"never\", \"searching\", \"finding\", or \"always\". "

Actions: View | Diff

Attachments on bug 40075: 18619 | 19073 | 19182 | 19329