Lines 74-79
Link Here
|
74 |
it's the exact string passed by the HTTP client */ |
74 |
it's the exact string passed by the HTTP client */ |
75 |
|
75 |
|
76 |
int secure; /* True if SSL connections are requested */ |
76 |
int secure; /* True if SSL connections are requested */ |
|
|
77 |
|
78 |
int dynamic_group_lookup; /* True if dynamic group lookups desired */ |
79 |
apr_array_header_t *dynamicgroupattr; /* List of dynamic group attributes */ |
77 |
} authn_ldap_config_t; |
80 |
} authn_ldap_config_t; |
78 |
|
81 |
|
79 |
typedef struct { |
82 |
typedef struct { |
Lines 94-99
Link Here
|
94 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; |
97 |
static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find; |
95 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; |
98 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn; |
96 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; |
99 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare; |
|
|
100 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedynamicgroup) *util_ldap_cache_comparedynamicgroup; |
101 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getattributevalues) *util_ldap_cache_getattributevalues; |
97 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; |
102 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid; |
98 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; |
103 |
static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn; |
99 |
static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; |
104 |
static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported; |
Lines 287-292
Link Here
|
287 |
*/ |
292 |
*/ |
288 |
sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS, |
293 |
sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS, |
289 |
sizeof(struct mod_auth_ldap_groupattr_entry_t)); |
294 |
sizeof(struct mod_auth_ldap_groupattr_entry_t)); |
|
|
295 |
sec->dynamicgroupattr = apr_array_make(p, GROUPATTR_MAX_ELTS, |
296 |
sizeof(struct mod_auth_ldap_groupattr_entry_t)); |
290 |
|
297 |
|
291 |
sec->have_ldap_url = 0; |
298 |
sec->have_ldap_url = 0; |
292 |
sec->url = ""; |
299 |
sec->url = ""; |
Lines 306-311
Link Here
|
306 |
sec->user_is_dn = 0; |
313 |
sec->user_is_dn = 0; |
307 |
sec->remote_user_attribute = NULL; |
314 |
sec->remote_user_attribute = NULL; |
308 |
sec->compare_dn_on_server = 0; |
315 |
sec->compare_dn_on_server = 0; |
|
|
316 |
|
317 |
sec->dynamic_group_lookup = 0; /* dynamic group lookup disabled by default */ |
318 |
|
309 |
|
319 |
|
310 |
return sec; |
320 |
return sec; |
311 |
} |
321 |
} |
Lines 514-521
Link Here
|
514 |
int method_restricted = 0; |
524 |
int method_restricted = 0; |
515 |
|
525 |
|
516 |
char filtbuf[FILTER_LENGTH]; |
526 |
char filtbuf[FILTER_LENGTH]; |
517 |
const char *dn = NULL; |
527 |
char *dn = NULL; |
518 |
const char **vals = NULL; |
528 |
char **vals = NULL; |
519 |
|
529 |
|
520 |
/* |
530 |
/* |
521 |
if (!sec->enabled) { |
531 |
if (!sec->enabled) { |
Lines 558-563
Link Here
|
558 |
apr_thread_mutex_unlock(sec->lock); |
568 |
apr_thread_mutex_unlock(sec->lock); |
559 |
#endif |
569 |
#endif |
560 |
} |
570 |
} |
|
|
571 |
|
572 |
/* |
573 |
* If there are no elements in the dynamic group attribute array, populate default |
574 |
* of "memberURL". This is the same code as above block but for dynamicgroupattr array |
575 |
*/ |
576 |
if (sec->dynamicgroupattr->nelts == 0) { |
577 |
struct mod_auth_ldap_groupattr_entry_t *dyngrp; |
578 |
#if APR_HAS_THREADS |
579 |
apr_thread_mutex_lock(sec->lock); |
580 |
#endif |
581 |
dyngrp = apr_array_push(sec->dynamicgroupattr); |
582 |
dyngrp->name = "memberURL"; |
583 |
#if APR_HAS_THREADS |
584 |
apr_thread_mutex_unlock(sec->lock); |
585 |
#endif |
586 |
} |
561 |
|
587 |
|
562 |
if (!reqs_arr) { |
588 |
if (!reqs_arr) { |
563 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
589 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
Lines 738-743
Link Here
|
738 |
} |
764 |
} |
739 |
} |
765 |
} |
740 |
} |
766 |
} |
|
|
767 |
|
768 |
/* Regular group membership has failed at this point. Do dynamic group checking if it is enabled */ |
769 |
if (sec->dynamic_group_lookup) { |
770 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
771 |
"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: " |
772 |
"testing for dynamic group: %s (%s)", getpid(), |
773 |
sec->group_attrib_is_dn ? req->dn : req->user, t); |
774 |
|
775 |
for (i = 0; i < sec->dynamicgroupattr->nelts; i++) { |
776 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
777 |
"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: " |
778 |
"dynamic group attribute %s: %s (%s)", getpid(), |
779 |
ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t); |
780 |
|
781 |
/* first we get all the attribute values for the current dynamic group attribute */ |
782 |
vals = util_ldap_cache_getattributevalues(r, ldc, sec->url, req->dn, ent[i].name); |
783 |
|
784 |
int key = 0; |
785 |
|
786 |
/* loop through all found attribute values and do a search */ |
787 |
while (vals[key]) { |
788 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
789 |
"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: " |
790 |
, getpid()); |
791 |
|
792 |
/* build search filter */ |
793 |
authn_ldap_build_filter(filtbuf, r, req->user, vals[key], sec); |
794 |
result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, |
795 |
sec->scope, sec->attributes, filtbuf, &dn, &vals); |
796 |
|
797 |
if (result == LDAP_SUCCESS) { |
798 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
799 |
"[%" APR_PID_T_FMT "] auth_ldap_authorise: checking dn match %s", |
800 |
getpid(), dn); |
801 |
result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn, |
802 |
sec->compare_dn_on_server); |
803 |
|
804 |
} |
805 |
|
806 |
switch (result) { |
807 |
case LDAP_COMPARE_TRUE: { |
808 |
|
809 |
} |
810 |
case LDAP_FILTER_ERROR: { |
811 |
|
812 |
} |
813 |
default: { |
814 |
|
815 |
} |
816 |
} |
817 |
|
818 |
key++; |
819 |
} |
820 |
|
821 |
switch (result) { |
822 |
case LDAP_COMPARE_TRUE: { |
823 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
824 |
"[%" APR_PID_T_FMT "] auth_ldap_authorise: require dynamic group: " |
825 |
"authorisation successful [%s][%s]", |
826 |
getpid(), ldc->reason, ldap_err2string(result)); |
827 |
return OK; |
828 |
} |
829 |
default : { |
830 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
831 |
"[%" APR_PID_T_FMT "] auth_ldap authorise: require dynamic group: " |
832 |
"authorisation failed [%s][%s]", |
833 |
getpid(), ldc->reason, ldap_err2string(result)); |
834 |
|
835 |
} |
836 |
} |
837 |
} |
838 |
} |
741 |
} |
839 |
} |
742 |
else if (strcmp(w, "ldap-attribute") == 0) { |
840 |
else if (strcmp(w, "ldap-attribute") == 0) { |
743 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
841 |
if (req->dn == NULL || strlen(req->dn) == 0) { |
Lines 1015-1020
Link Here
|
1015 |
return NULL; |
1113 |
return NULL; |
1016 |
} |
1114 |
} |
1017 |
|
1115 |
|
|
|
1116 |
static const char *mod_auth_ldap_add_dynamic_group_attribute(cmd_parms *cmd, void *config, const char *arg) |
1117 |
{ |
1118 |
struct mod_auth_ldap_groupattr_entry_t *new; |
1119 |
|
1120 |
authn_ldap_config_t *sec = config; |
1121 |
|
1122 |
if (sec->dynamicgroupattr->nelts > GROUPATTR_MAX_ELTS) |
1123 |
return "Too many AuthLDAPDynamicGroupAttribute directives"; |
1124 |
|
1125 |
new = apr_array_push(sec->dynamicgroupattr); |
1126 |
new->name = apr_pstrdup(cmd->pool, arg); |
1127 |
|
1128 |
return NULL; |
1129 |
} |
1130 |
|
1018 |
static const char *set_charset_config(cmd_parms *cmd, void *config, const char *arg) |
1131 |
static const char *set_charset_config(cmd_parms *cmd, void *config, const char *arg) |
1019 |
{ |
1132 |
{ |
1020 |
ap_set_module_config(cmd->server->module_config, &authnz_ldap_module, |
1133 |
ap_set_module_config(cmd->server->module_config, &authnz_ldap_module, |
Lines 1106-1111
Link Here
|
1106 |
"Character set conversion configuration file. If omitted, character set" |
1219 |
"Character set conversion configuration file. If omitted, character set" |
1107 |
"conversion is disabled."), |
1220 |
"conversion is disabled."), |
1108 |
|
1221 |
|
|
|
1222 |
AP_INIT_FLAG("AuthLDAPDynamicGroupLookup", ap_set_flag_slot, |
1223 |
(void *)APR_OFFSETOF(authn_ldap_config_t, dynamic_group_lookup), OR_AUTHCFG, |
1224 |
"If set to 'on', auth_ldap will look for dynamic group URI in a group DN " |
1225 |
"and attempt to see if a user is part of a group defined by that URI " |
1226 |
"Defaults to 'off'."), |
1227 |
|
1228 |
AP_INIT_TAKE1("AuthLDAPDynamicGroupAttribute", mod_auth_ldap_add_dynamic_group_attribute, NULL, OR_AUTHCFG, |
1229 |
"A list of attributes containing dynamic group URIs. Defaults to \"memberURL\"."), |
1230 |
|
1109 |
{NULL} |
1231 |
{NULL} |
1110 |
}; |
1232 |
}; |
1111 |
|
1233 |
|
Lines 1203-1208
Link Here
|
1203 |
util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find); |
1325 |
util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find); |
1204 |
util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn); |
1326 |
util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn); |
1205 |
util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare); |
1327 |
util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare); |
|
|
1328 |
util_ldap_cache_comparedynamicgroup = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedynamicgroup); |
1329 |
util_ldap_cache_getattributevalues = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getattributevalues); |
1206 |
util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid); |
1330 |
util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid); |
1207 |
util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn); |
1331 |
util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn); |
1208 |
util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported); |
1332 |
util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported); |