View | Details | Raw Unified | Return to bug 40075
Collapse All | Expand All

(-)httpd-2.2.3/modules/aaa/mod_authnz_ldap.c (-7 / +47 lines)
Lines 73-78 Link Here
73
                                        it's the exact string passed by the HTTP client */
73
                                        it's the exact string passed by the HTTP client */
74
74
75
    int secure;                     /* True if SSL connections are requested */
75
    int secure;                     /* True if SSL connections are requested */
76
    int require_dn;                  /* Off means it's OK if the user has no DN */
76
} authn_ldap_config_t;
77
} authn_ldap_config_t;
77
78
78
typedef struct {
79
typedef struct {
Lines 85-90 Link Here
85
86
86
struct mod_auth_ldap_groupattr_entry_t {
87
struct mod_auth_ldap_groupattr_entry_t {
87
    char *name;
88
    char *name;
89
    char *type;
88
};
90
};
89
91
90
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
92
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
Lines 295-300 Link Here
295
    sec->deref = always;
297
    sec->deref = always;
296
    sec->group_attrib_is_dn = 1;
298
    sec->group_attrib_is_dn = 1;
297
    sec->auth_authoritative = 1;
299
    sec->auth_authoritative = 1;
300
    sec->require_dn = 1;
298
301
299
/*
302
/*
300
    sec->frontpage_hack = 0;
303
    sec->frontpage_hack = 0;
Lines 531-538 Link Here
531
#endif
534
#endif
532
        grp = apr_array_push(sec->groupattr);
535
        grp = apr_array_push(sec->groupattr);
533
        grp->name = "member";
536
        grp->name = "member";
537
        grp->type = NULL;
534
        grp = apr_array_push(sec->groupattr);
538
        grp = apr_array_push(sec->groupattr);
535
        grp->name = "uniquemember";
539
        grp->name = "uniquemember";
540
        grp->type = NULL;
536
#if APR_HAS_THREADS
541
#if APR_HAS_THREADS
537
        apr_thread_mutex_unlock(sec->lock);
542
        apr_thread_mutex_unlock(sec->lock);
538
#endif
543
#endif
Lines 569-575 Link Here
569
             sec->scope, sec->attributes, filtbuf, &dn, &vals);
574
             sec->scope, sec->attributes, filtbuf, &dn, &vals);
570
575
571
        /* Search failed, log error and return failure */
576
        /* Search failed, log error and return failure */
572
        if(result != LDAP_SUCCESS) {
577
        if((result != LDAP_SUCCESS) && (sec->require_dn)) {
573
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
578
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
574
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
579
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
575
            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
580
            return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
Lines 694-706 Link Here
694
                          getpid(), t);
699
                          getpid(), t);
695
700
696
            for (i = 0; i < sec->groupattr->nelts; i++) {
701
            for (i = 0; i < sec->groupattr->nelts; i++) {
697
                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
702
                result = 0;
698
                              "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
699
                              "testing for %s: %s (%s)", getpid(),
700
                              ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
701
703
702
                result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
704
                if (ent[i].type == NULL) {
703
                                     sec->group_attrib_is_dn ? req->dn : req->user);
705
                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
706
                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
707
                                  "testing for %s: %s (%s)", getpid(),
708
                                  ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
709
                    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
710
                                         sec->group_attrib_is_dn ? req->dn : req->user);
711
                } else if (req->dn != NULL && strcasecmp(ent[i].type, "dn") == 0) {
712
                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
713
                                  "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
714
                                  "testing for %s: %s (%s)", getpid(),
715
                                  ent[i].name, req->dn, t);
716
                    result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->dn);
717
                }
704
                switch(result) {
718
                switch(result) {
705
                    case LDAP_COMPARE_TRUE: {
719
                    case LDAP_COMPARE_TRUE: {
706
                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
720
                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Lines 990-995 Link Here
990
1004
991
    new = apr_array_push(sec->groupattr);
1005
    new = apr_array_push(sec->groupattr);
992
    new->name = apr_pstrdup(cmd->pool, arg);
1006
    new->name = apr_pstrdup(cmd->pool, arg);
1007
    new->type = NULL;
1008
1009
    return NULL;
1010
}
1011
1012
static const char *mod_auth_ldap_add_group_attribute_dn(cmd_parms *cmd, void *config, const char *arg)
1013
{
1014
    struct mod_auth_ldap_groupattr_entry_t *new;
1015
1016
    authn_ldap_config_t *sec = config;
1017
1018
    if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
1019
        return "Too many AuthLDAPGroupAttribute directives";
1020
1021
    new = apr_array_push(sec->groupattr);
1022
    new->name = apr_pstrdup(cmd->pool, arg);
1023
    new->type = apr_pstrdup( "dn" );
993
1024
994
    return NULL;
1025
    return NULL;
995
}
1026
}
Lines 1057-1068 Link Here
1057
                    "A list of attributes used to define group membership - defaults to "
1088
                    "A list of attributes used to define group membership - defaults to "
1058
                    "member and uniquemember"),
1089
                    "member and uniquemember"),
1059
1090
1091
    AP_INIT_ITERATE("AuthLDAPGroupAttributeDN", mod_auth_ldap_add_group_attribute_dn, NULL, OR_AUTHCFG,
1092
                    "A list of attributes used to define group membership as DNs - defaults to "
1093
                    "nothing"),
1094
1060
    AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,
1095
    AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,
1061
                 (void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG,
1096
                 (void *)APR_OFFSETOF(authn_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG,
1062
                 "If set to 'on', auth_ldap uses the DN that is retrieved from the server for"
1097
                 "If set to 'on', auth_ldap uses the DN that is retrieved from the server for"
1063
                 "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
1098
                 "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
1064
                 "provided by the client directly. Defaults to 'on'."),
1099
                 "provided by the client directly. Defaults to 'on'."),
1065
1100
1101
    AP_INIT_FLAG("AuthzLDAPRequireDN", ap_set_flag_slot,
1102
                 (void *)APR_OFFSETOF(authn_ldap_config_t, require_dn), OR_AUTHCFG,
1103
                 "If set to 'on', auth_ldap requires a user to have a DN. If set to 'off' "
1104
                 "the user does not need to have an entry in LDAP. Defaults to 'on'."),
1105
1066
    AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
1106
    AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
1067
                  "Determines how aliases are handled during a search. Can bo one of the"
1107
                  "Determines how aliases are handled during a search. Can bo one of the"
1068
                  "values \"never\", \"searching\", \"finding\", or \"always\". "
1108
                  "values \"never\", \"searching\", \"finding\", or \"always\". "

Return to bug 40075