View | Details | Raw Unified | Return to bug 40075
Collapse All | Expand All

(-)mod_authnz_ldap.c (-12 / +45 lines)
Lines 84-89 Link Here
84
84
85
struct mod_auth_ldap_groupattr_entry_t {
85
struct mod_auth_ldap_groupattr_entry_t {
86
    char *name;
86
    char *name;
87
    char *type;
87
};
88
};
88
89
89
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
90
module AP_MODULE_DECLARE_DATA authnz_ldap_module;
Lines 647-654 Link Here
647
#endif
648
#endif
648
        grp = apr_array_push(sec->groupattr);
649
        grp = apr_array_push(sec->groupattr);
649
        grp->name = "member";
650
        grp->name = "member";
651
        grp->type = NULL;
650
        grp = apr_array_push(sec->groupattr);
652
        grp = apr_array_push(sec->groupattr);
651
        grp->name = "uniquemember";
653
        grp->name = "uniquemember";
654
        grp->type = NULL;
652
#if APR_HAS_THREADS
655
#if APR_HAS_THREADS
653
        apr_thread_mutex_unlock(sec->lock);
656
        apr_thread_mutex_unlock(sec->lock);
654
#endif
657
#endif
Lines 682-688 Link Here
682
        if(result != LDAP_SUCCESS) {
685
        if(result != LDAP_SUCCESS) {
683
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
686
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
684
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
687
                "auth_ldap authorise: User DN not found, %s", ldc->reason);
685
            return AUTHZ_DENIED;
686
        }
688
        }
687
689
688
        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
690
        req = (authn_ldap_request_t *)apr_pcalloc(r->pool,
Lines 719-731 Link Here
719
                  getpid(), t);
721
                  getpid(), t);
720
722
721
    for (i = 0; i < sec->groupattr->nelts; i++) {
723
    for (i = 0; i < sec->groupattr->nelts; i++) {
722
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
724
        result = 0;
723
                      "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
724
                      "testing for %s: %s (%s)", getpid(),
725
                      ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
726
725
727
        result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
726
        if (ent[i].type == NULL) {
728
                             sec->group_attrib_is_dn ? req->dn : req->user);
727
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
728
                          "[%" APR_PID_T_FMT "] auth_ldap authorize: require group: "
729
                          "testing for %s: %s (%s)", getpid(),
730
                          ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
731
732
            result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
733
                                             sec->group_attrib_is_dn ? req->dn : req->user);
734
        } else if (req->dn != NULL && strlen(req->dn) != 0 && strcasecmp(ent[i].type, "dn") == 0) {
735
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
736
                          "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
737
                          "testing for %s: %s (%s)", getpid(),
738
                          ent[i].name, req->dn, t);
739
            result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->dn);
740
        } else if (req->user != NULL && strlen(req->user) != 0 && strcasecmp(ent[i].type, "un") == 0) {
741
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
742
                          "[%" APR_PID_T_FMT "] auth_ldap authorise: require group: "
743
                          "testing for %s: %s (%s)", getpid(),
744
                          ent[i].name, req->user, t);
745
            result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name, req->user);
746
        }
747
729
        switch(result) {
748
        switch(result) {
730
            case LDAP_COMPARE_TRUE: {
749
            case LDAP_COMPARE_TRUE: {
731
                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
750
                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Lines 1252-1266 Link Here
1252
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
1271
static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
1253
{
1272
{
1254
    struct mod_auth_ldap_groupattr_entry_t *new;
1273
    struct mod_auth_ldap_groupattr_entry_t *new;
1274
    const char *t;
1275
    char *w;
1276
    int cmpsize;
1255
1277
1256
    authn_ldap_config_t *sec = config;
1278
    authn_ldap_config_t *sec = config;
1257
1279
1258
    if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
1280
    t = arg;
1259
        return "Too many AuthLDAPGroupAttribute directives";
1281
    while ((w = ap_getword_white(cmd->pool, &t)) && w[0]) {
1282
        new = apr_array_push(sec->groupattr);
1283
        new->name = apr_pstrdup(cmd->pool, w);
1284
        new->type = NULL;
1260
1285
1261
    new = apr_array_push(sec->groupattr);
1286
        cmpsize = (strlen(t) < 3) ? 2 : 3;
1262
    new->name = apr_pstrdup(cmd->pool, arg);
1287
        if ((strncasecmp(t, "DN ", cmpsize) == 0) || (strncasecmp(t, "UN ", cmpsize) == 0)) {
1288
            w = ap_getword_white(cmd->pool, &t);
1289
            new->type = apr_pstrdup(cmd->pool, w);
1290
        }
1263
1291
1292
        if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
1293
            return "Too many AuthLDAPGroupAttribute directives";
1294
    }
1295
1296
1264
    return NULL;
1297
    return NULL;
1265
}
1298
}
1266
1299
Lines 1325-1331 Link Here
1325
                 "(at the expense of possible false matches). See the documentation for "
1358
                 "(at the expense of possible false matches). See the documentation for "
1326
                 "a complete description of this option."),
1359
                 "a complete description of this option."),
1327
1360
1328
    AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
1361
    AP_INIT_RAW_ARGS("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
1329
                    "A list of attributes used to define group membership - defaults to "
1362
                    "A list of attributes used to define group membership - defaults to "
1330
                    "member and uniquemember"),
1363
                    "member and uniquemember"),
1331
1364

Return to bug 40075