Attachment #19734 for bug #38515

View | Details | Raw Unified | Return to bug 38515
Collapse All | Expand All





}

static int uldap_cache_comparedynamicgroup(request_rec *r, 
                                           util_ldap_connection_t *ldc,
                                           const char *url, const char *dn,
                                           const char *base, int scope,
                                           const char *user, const char *userdn)
{

    int result = 0;
    int failures = 0;
    int i;
    LDAPMessage *groupResult;
    char *groupAttr[] = { "objectClass", "memberURL", NULL};
    char *uidAttr[] = { "uid", NULL};
    char **attr, **tmpAttr;
    char memberURL[255];
    apr_ldap_url_desc_t *groupUrl, *origUrl;
    apr_ldap_err_t *lgroupResult;


start_over:
    if (failures++ > 10) {
        return result;
    }

    if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
        return result;
    }

    /* first thing we do is find if the specified group has any memberURL entries */
    if ((result = ldap_search_s(ldc->ldap, base, scope, dn, 
                                groupAttr, 0, &groupResult))
                                                            == LDAP_SERVER_DOWN) {

        ldc->reason = "ldap_search_s() failed with server down";
        uldap_connection_unbind(ldc);
        goto start_over;
    }

    ldc->reason = "LDAP search for dynamic group members complete";

    if ((result = ldap_count_entries(ldc->ldap, groupResult)) != 1) {
        ldc->reason = "LDAP search for dynamic group didn't have 1 result";
        ldap_msgfree(groupResult);
        return LDAP_COMPARE_FALSE;
    }

    if ((groupResult = ldap_first_entry(ldc->ldap, groupResult)) == NULL) {
        ldc->reason = "ldap_first_entry return NULL";
        return LDAP_COMPARE_FALSE;      
    }

    attr = ldap_get_values(ldc->ldap, groupResult, "objectClass");

    if (attr = NULL) {
        ldc->reason = "ldap_get_values() for objectClass returned NULL";
        return LDAP_COMPARE_FALSE;
    }

    if ((attr = ldap_get_values(ldc->ldap, groupResult, "memberURL")) == NULL) {
        ldc->reason = "ldap_get_values() for \"memberURL\" return NULL";
        return LDAP_COMPARE_FALSE;
    }

    tmpAttr = attr;
    i = 0;

    while (*tmpAttr != NULL) {
        bzero(memberURL, sizeof(memberURL));
        strcpy(memberURL, *tmpAttr++);

        /* now, memberURL should be an LDAP URL pointing to a group */
        if ((result = apr_ldap_url_parse(r->pool,
                                             (char *)memberURL,
                                             &groupUrl,
                                             &lgroupResult))
                                                           != APR_SUCCESS)
        {
            ldc->reason = "could not parse returned URL";
            continue;
        }
        else {
            /* we have a good LDAP url, now search to see if the user is there */
            
            if ((result = ldap_search_s(ldc->ldap, userdn, LDAP_SCOPE_SUBTREE,
                                        groupUrl->lud_filter, uidAttr,
                                        0, &groupResult))
                                                         != LDAP_SUCCESS)
            {
                continue;
            }
            else {
                if (ldap_count_entries(ldc->ldap, groupResult) >= 1) {
                    return LDAP_COMPARE_TRUE;
                }
            }

        }

        
        

    }

    return LDAP_COMPARE_FALSE;
}

char ** uldap_cache_getattributevalues(request_rec *r, util_ldap_connection_t *ldc,
                                                    const char *url, const char *dn,
                                                    const char *attrib)
{
    char **arr = NULL;
    char **attr;

    int failures = 0;
    int result = 0;
    int count;
    char *filter = NULL;
    int numvals = 0;

    LDAPMessage *res, *entry;
    
    util_url_node_t *curl;
    util_url_node_t curnode;
    util_search_node_t *search_nodep;
    util_search_node_t the_search_node;
    apr_time_t curtime;

    util_ldap_state_t *st =
        (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
        &ldap_module);

    LDAP_CACHE_LOCK();
    curnode.url = url;
    curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
                                                   &curnode);

    char * key = apr_pstrcat(r->pool, dn, "::", attrib, NULL);

    if (curl == NULL) {
        curl = util_ald_create_caches(st, url);
    }
    LDAP_CACHE_UNLOCK();

    if (curl) {
        LDAP_CACHE_LOCK();
        the_search_node.username = key;
        search_nodep = util_ald_cache_fetch(curl->search_cache,
                                            &the_search_node);

        if (search_nodep != NULL) {
            /* found attributes in search cache */

            curtime = apr_time_now();

            if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
                /* ...but entry is too old */
                util_ald_cache_remove(curl->search_cache, search_nodep);
            }
            else {
                /* entry isn't too old, so return the results */
                arr = (char **)(search_nodep->vals);
                LDAP_CACHE_UNLOCK();
                return arr;
            }
        }

        LDAP_CACHE_UNLOCK();
        
    }
    
    /* didn't get hit from cache */
start_over:
    if (failures++ > 10) {
        return arr;
    }
    if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
        return arr;
    }

    /* try do the search */
    filter = apr_pstrcat(st->pool, "objectClass", attrib, NULL);
    if ((result = ldap_search_ext_s(ldc->ldap,
                                    (char *)dn, LDAP_SCOPE_SUBTREE,
                                    filter, (char *)(attrib), 0,
                                    NULL, NULL, NULL, -1, &res))
            == LDAP_SERVER_DOWN)
    {
        ldc->reason = "ldap_search_ext_s() for attribute failed with server down";
        uldap_connection_unbind(ldc);
        goto start_over;
    }

    /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
    if (result != LDAP_SUCCESS) {
        ldc->reason = "ldap_search_ext_s() for attribute failed";
        return arr;
    }

    /*
     * We should have found exactly one entry; to find a different
     * number is an error.
     */
    count = ldap_count_entries(ldc->ldap, res);
    if (count != 1)
    {
        if (count == 0 )
            ldc->reason = "Attribute not found";
        else
            ldc->reason = "Attribute search found multiple records.  This shouldn't happen";
        ldap_msgfree(res);
        return arr;
    }
    else {
        entry = ldap_first_entry(ldc->ldap, res);

        attr = ldap_get_values(ldc->ldap, entry, "objectClass");

        if (attr == NULL) {
            ldc->reason = "ldap_get_values() for objectClass returned NULL";
            return arr;
        }

        if ((attr = ldap_get_values(ldc->ldap, entry, attrib)) == NULL) {
            ldc->reason = "ldap_get_values() for attribute return NULL";
            return arr;
        }

        /* attr has the values */
        if (attr) {
            int k = 0;
            int i = 0;

            while (attr[k++]);
            arr = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
            numvals = k;

            while (attr[i]) {
                char **values;
                int j = 0;
                char *str = NULL;

                values = ldap_get_values(ldc->ldap, entry, attr[i]);
                while (values && values[j]) {
                    str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
                              : apr_pstrdup(r->pool, values[j]);
                    j++;
                }
                ldap_value_free(values);
                arr[i] = str;
                i++;
            }
        }

    }

    return arr;
}

/*
 * Does an generic ldap_compare operation. It accepts a cache that it will use
 * to lookup the compare in the cache. We cache two kinds of compares

    APR_REGISTER_OPTIONAL_FN(uldap_connection_find);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedn);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_compare);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedynamicgroup);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_getattributevalues);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_checkuserid);
    APR_REGISTER_OPTIONAL_FN(uldap_cache_getuserdn);
    APR_REGISTER_OPTIONAL_FN(uldap_ssl_supported);

Lines 74-79 Link Here

(-)modules/aaa/mod_authnz_ldap.c (-2 / +126 lines)
74	it's the exact string passed by the HTTP client */	74	it's the exact string passed by the HTTP client */
75		75
76	int secure; /* True if SSL connections are requested */	76	int secure; /* True if SSL connections are requested */
		77
		78	int dynamic_group_lookup; /* True if dynamic group lookups desired */
		79	apr_array_header_t dynamicgroupattr; / List of dynamic group attributes */
77	} authn_ldap_config_t;	80	} authn_ldap_config_t;
78		81
79	typedef struct {	82	typedef struct {
Lines 94-99 Link Here
94	static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find;	97	static APR_OPTIONAL_FN_TYPE(uldap_connection_find) *util_ldap_connection_find;
95	static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn;	98	static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedn) *util_ldap_cache_comparedn;
96	static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare;	99	static APR_OPTIONAL_FN_TYPE(uldap_cache_compare) *util_ldap_cache_compare;
		100	static APR_OPTIONAL_FN_TYPE(uldap_cache_comparedynamicgroup) *util_ldap_cache_comparedynamicgroup;
		101	static APR_OPTIONAL_FN_TYPE(uldap_cache_getattributevalues) *util_ldap_cache_getattributevalues;
97	static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid;	102	static APR_OPTIONAL_FN_TYPE(uldap_cache_checkuserid) *util_ldap_cache_checkuserid;
98	static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn;	103	static APR_OPTIONAL_FN_TYPE(uldap_cache_getuserdn) *util_ldap_cache_getuserdn;
99	static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported;	104	static APR_OPTIONAL_FN_TYPE(uldap_ssl_supported) *util_ldap_ssl_supported;
Lines 287-292 Link Here
287	*/	292	*/
288	sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,	293	sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,
289	sizeof(struct mod_auth_ldap_groupattr_entry_t));	294	sizeof(struct mod_auth_ldap_groupattr_entry_t));
		295	sec->dynamicgroupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,
		296	sizeof(struct mod_auth_ldap_groupattr_entry_t));
290		297
291	sec->have_ldap_url = 0;	298	sec->have_ldap_url = 0;
292	sec->url = "";	299	sec->url = "";
Lines 306-311 Link Here
306	sec->user_is_dn = 0;	313	sec->user_is_dn = 0;
307	sec->remote_user_attribute = NULL;	314	sec->remote_user_attribute = NULL;
308	sec->compare_dn_on_server = 0;	315	sec->compare_dn_on_server = 0;
		316
		317	sec->dynamic_group_lookup = 0; /* dynamic group lookup disabled by default */
		318
309		319
310	return sec;	320	return sec;
311	}	321	}
Lines 514-521 Link Here
514	int method_restricted = 0;	524	int method_restricted = 0;
515		525
516	char filtbuf[FILTER_LENGTH];	526	char filtbuf[FILTER_LENGTH];
517	const char *dn = NULL;	527	char *dn = NULL;
518	const char **vals = NULL;	528	char **vals = NULL;
519		529
520	/*	530	/*
521	if (!sec->enabled) {	531	if (!sec->enabled) {
Lines 558-563 Link Here
558	apr_thread_mutex_unlock(sec->lock);	568	apr_thread_mutex_unlock(sec->lock);
559	#endif	569	#endif
560	}	570	}
		571
		572	/*
		573	* If there are no elements in the dynamic group attribute array, populate default
		574	* of "memberURL". This is the same code as above block but for dynamicgroupattr array
		575	*/
		576	if (sec->dynamicgroupattr->nelts == 0) {
		577	struct mod_auth_ldap_groupattr_entry_t *dyngrp;
		578	#if APR_HAS_THREADS
		579	apr_thread_mutex_lock(sec->lock);
		580	#endif
		581	dyngrp = apr_array_push(sec->dynamicgroupattr);
		582	dyngrp->name = "memberURL";
		583	#if APR_HAS_THREADS
		584	apr_thread_mutex_unlock(sec->lock);
		585	#endif
		586	}
561		587
562	if (!reqs_arr) {	588	if (!reqs_arr) {
563	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,	589	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Lines 738-743 Link Here
738	}	764	}
739	}	765	}
740	}	766	}
		767
		768	/* Regular group membership has failed at this point. Do dynamic group checking if it is enabled */
		769	if (sec->dynamic_group_lookup) {
		770	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		771	"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: "
		772	"testing for dynamic group: %s (%s)", getpid(),
		773	sec->group_attrib_is_dn ? req->dn : req->user, t);
		774
		775	for (i = 0; i < sec->dynamicgroupattr->nelts; i++) {
		776	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		777	"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: "
		778	"dynamic group attribute %s: %s (%s)", getpid(),
		779	ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
		780
		781	/* first we get all the attribute values for the current dynamic group attribute */
		782	vals = util_ldap_cache_getattributevalues(r, ldc, sec->url, req->dn, ent[i].name);
		783
		784	int key = 0;
		785
		786	/* loop through all found attribute values and do a search */
		787	while (vals[key]) {
		788	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		789	"[%" APR_PID_T_FMT "] auth_ldap_authorise: require group: "
		790	, getpid());
		791
		792	/* build search filter */
		793	authn_ldap_build_filter(filtbuf, r, req->user, vals[key], sec);
		794	result = util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn,
		795	sec->scope, sec->attributes, filtbuf, &dn, &vals);
		796
		797	if (result == LDAP_SUCCESS) {
		798	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		799	"[%" APR_PID_T_FMT "] auth_ldap_authorise: checking dn match %s",
		800	getpid(), dn);
		801	result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, dn,
		802	sec->compare_dn_on_server);
		803
		804	}
		805
		806	switch (result) {
		807	case LDAP_COMPARE_TRUE: {
		808
		809	}
		810	case LDAP_FILTER_ERROR: {
		811
		812	}
		813	default: {
		814
		815	}
		816	}
		817
		818	key++;
		819	}
		820
		821	switch (result) {
		822	case LDAP_COMPARE_TRUE: {
		823	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		824	"[%" APR_PID_T_FMT "] auth_ldap_authorise: require dynamic group: "
		825	"authorisation successful [%s][%s]",
		826	getpid(), ldc->reason, ldap_err2string(result));
		827	return OK;
		828	}
		829	default : {
		830	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
831	"[%" APR_PID_T_FMT "] auth_ldap authorise: require dynamic group: "
832	"authorisation failed [%s][%s]",
833	getpid(), ldc->reason, ldap_err2string(result));
834
835	}
836	}
837	}
838	}
741	}	839	}
742	else if (strcmp(w, "ldap-attribute") == 0) {	840	else if (strcmp(w, "ldap-attribute") == 0) {
743	if (req->dn == NULL \|\| strlen(req->dn) == 0) {	841	if (req->dn == NULL \|\| strlen(req->dn) == 0) {
Lines 1015-1020 Link Here
1015	return NULL;	1113	return NULL;
1016	}	1114	}
1017		1115
		1116	static const char mod_auth_ldap_add_dynamic_group_attribute(cmd_parms cmd, void config, const char arg)
		1117	{
		1118	struct mod_auth_ldap_groupattr_entry_t *new;
		1119
		1120	authn_ldap_config_t *sec = config;
		1121
		1122	if (sec->dynamicgroupattr->nelts > GROUPATTR_MAX_ELTS)
		1123	return "Too many AuthLDAPDynamicGroupAttribute directives";
		1124
		1125	new = apr_array_push(sec->dynamicgroupattr);
		1126	new->name = apr_pstrdup(cmd->pool, arg);
		1127
		1128	return NULL;
		1129	}
		1130
1018	static const char set_charset_config(cmd_parms cmd, void config, const char arg)	1131	static const char set_charset_config(cmd_parms cmd, void config, const char arg)
1019	{	1132	{
1020	ap_set_module_config(cmd->server->module_config, &authnz_ldap_module,	1133	ap_set_module_config(cmd->server->module_config, &authnz_ldap_module,
Lines 1106-1111 Link Here
1106	"Character set conversion configuration file. If omitted, character set"	1219	"Character set conversion configuration file. If omitted, character set"
1107	"conversion is disabled."),	1220	"conversion is disabled."),
1108		1221
		1222	AP_INIT_FLAG("AuthLDAPDynamicGroupLookup", ap_set_flag_slot,
		1223	(void *)APR_OFFSETOF(authn_ldap_config_t, dynamic_group_lookup), OR_AUTHCFG,
		1224	"If set to 'on', auth_ldap will look for dynamic group URI in a group DN "
		1225	"and attempt to see if a user is part of a group defined by that URI "
		1226	"Defaults to 'off'."),
		1227
		1228	AP_INIT_TAKE1("AuthLDAPDynamicGroupAttribute", mod_auth_ldap_add_dynamic_group_attribute, NULL, OR_AUTHCFG,
		1229	"A list of attributes containing dynamic group URIs. Defaults to \"memberURL\"."),
		1230
1109	{NULL}	1231	{NULL}
1110	};	1232	};
1111		1233
Lines 1203-1208 Link Here
1203	util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find);	1325	util_ldap_connection_find = APR_RETRIEVE_OPTIONAL_FN(uldap_connection_find);
1204	util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn);	1326	util_ldap_cache_comparedn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedn);
1205	util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare);	1327	util_ldap_cache_compare = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_compare);
		1328	util_ldap_cache_comparedynamicgroup = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_comparedynamicgroup);
		1329	util_ldap_cache_getattributevalues = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getattributevalues);
1206	util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid);	1330	util_ldap_cache_checkuserid = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_checkuserid);
1207	util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn);	1331	util_ldap_cache_getuserdn = APR_RETRIEVE_OPTIONAL_FN(uldap_cache_getuserdn);
1208	util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported);	1332	util_ldap_ssl_supported = APR_RETRIEVE_OPTIONAL_FN(uldap_ssl_supported);

Lines 217-222 Link Here

(-)modules/aaa/NWGNUauthnzldap (+2 lines)
217	util_ldap_cache_getuserdn \	217	util_ldap_cache_getuserdn \
218	util_ldap_cache_compare \	218	util_ldap_cache_compare \
219	util_ldap_cache_comparedn \	219	util_ldap_cache_comparedn \
		220	util_ldap_cache_comparedynamicgroup \
		221	util_ldap_cache_getattributevalues \
220	@$(APR)/aprlib.imp \	222	@$(APR)/aprlib.imp \
221	@$(NWOS)/httpd.imp \	223	@$(NWOS)/httpd.imp \
222	@libc.imp \	224	@libc.imp \

Lines 140-145 Link Here

(-)include/util_ldap.h (+31 lines)
140		140
141	} util_ldap_state_t;	141	} util_ldap_state_t;
142		142
		143	typedef struct util_ldap_attrvalue_entry_t {
		144	char *value;
		145	} util_ldap_attrvalue_entry_t;
143		146
144	/**	147	/**
145	* Open a connection to an LDAP server	148	* Open a connection to an LDAP server
Lines 248-253 Link Here
248	const char url, const char dn, const char attrib, const char value));	251	const char url, const char dn, const char attrib, const char value));
249		252
250	/**	253	/**
		254	* Checks to see if a DN is part of a dynamic group
		255	* @param r The request record
		256	* @param ldc The LDAP connection being used
		257	* @param url The URL of the LDAP connection - used for deciding which cache to use
		258	* @param dn The DN of the object containing the dynamic group attributes
		259	* @param groupattrib The attribute containing the dynamic group URI's
		260	* @param userattrib The user attribute
		261	* @param base The search base of the connection
		262	* @param scope The search scope of the connection
		263	* @param user The user we are comparing
		264	*/
		265	APR_DECLARE_OPTIONAL_FN(int,uldap_cache_comparedynamicgroup,(request_rec r, util_ldap_connection_t ldc,
		266	const char url, const char dn,
		267	const char *base, int scope,
		268	const char user, const char userdn));
		269
		270	/**
		271	* Returns an array of values for an attribute in a DN
		272	* @param r The request record
		273	* @param ldc The LDAP connection being used
		274	* @param url The URL of the LDAP connection - used for deciding which cache to use
		275	* @param dn The DN of the object containing the attribute
		276	* @param attrib The attrib for which to return values
		277	*/
		278	APR_DECLARE_OPTIONAL_FN(char *, uldap_cache_getattributevalues,(request_rec r, util_ldap_connection_t *ldc,
		279	const char url, const char dn, const char *attrib));
		280
		281	/**
251	* Checks a username/password combination by binding to the LDAP server	282	* Checks a username/password combination by binding to the LDAP server
252	* @param r The request record	283	* @param r The request record
253	* @param ldc The LDAP connection being used.	284	* @param ldc The LDAP connection being used.

Return to bug 38515

Lines 703-708 Link Here

(-)modules/ldap/util_ldap.c (+260 lines)
703		703
704	}	704	}
705		705
		706	static int uldap_cache_comparedynamicgroup(request_rec *r,
		707	util_ldap_connection_t *ldc,
		708	const char url, const char dn,
		709	const char *base, int scope,
		710	const char user, const char userdn)
		711	{
		712
		713	int result = 0;
		714	int failures = 0;
		715	int i;
		716	LDAPMessage *groupResult;
		717	char *groupAttr[] = { "objectClass", "memberURL", NULL};
		718	char *uidAttr[] = { "uid", NULL};
		719	char attr, tmpAttr;
		720	char memberURL[255];
		721	apr_ldap_url_desc_t groupUrl, origUrl;
		722	apr_ldap_err_t *lgroupResult;
		723
		724
		725	start_over:
		726	if (failures++ > 10) {
		727	return result;
		728	}
		729
		730	if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
		731	return result;
		732	}
		733
		734	/* first thing we do is find if the specified group has any memberURL entries */
		735	if ((result = ldap_search_s(ldc->ldap, base, scope, dn,
		736	groupAttr, 0, &groupResult))
		737	== LDAP_SERVER_DOWN) {
		738
		739	ldc->reason = "ldap_search_s() failed with server down";
		740	uldap_connection_unbind(ldc);
		741	goto start_over;
		742	}
		743
		744	ldc->reason = "LDAP search for dynamic group members complete";
		745
		746	if ((result = ldap_count_entries(ldc->ldap, groupResult)) != 1) {
		747	ldc->reason = "LDAP search for dynamic group didn't have 1 result";
		748	ldap_msgfree(groupResult);
		749	return LDAP_COMPARE_FALSE;
		750	}
		751
		752	if ((groupResult = ldap_first_entry(ldc->ldap, groupResult)) == NULL) {
		753	ldc->reason = "ldap_first_entry return NULL";
		754	return LDAP_COMPARE_FALSE;
		755	}
		756
		757	attr = ldap_get_values(ldc->ldap, groupResult, "objectClass");
		758
		759	if (attr = NULL) {
		760	ldc->reason = "ldap_get_values() for objectClass returned NULL";
		761	return LDAP_COMPARE_FALSE;
		762	}
		763
		764	if ((attr = ldap_get_values(ldc->ldap, groupResult, "memberURL")) == NULL) {
		765	ldc->reason = "ldap_get_values() for \"memberURL\" return NULL";
		766	return LDAP_COMPARE_FALSE;
		767	}
		768
		769	tmpAttr = attr;
770	i = 0;
771
772	while (*tmpAttr != NULL) {
773	bzero(memberURL, sizeof(memberURL));
774	strcpy(memberURL, *tmpAttr++);
775
776	/* now, memberURL should be an LDAP URL pointing to a group */
777	if ((result = apr_ldap_url_parse(r->pool,
778	(char *)memberURL,
779	&groupUrl,
780	&lgroupResult))
781	!= APR_SUCCESS)
782	{
783	ldc->reason = "could not parse returned URL";
784	continue;
785	}
786	else {
787	/* we have a good LDAP url, now search to see if the user is there */
788
789	if ((result = ldap_search_s(ldc->ldap, userdn, LDAP_SCOPE_SUBTREE,
790	groupUrl->lud_filter, uidAttr,
791	0, &groupResult))
792	!= LDAP_SUCCESS)
793	{
794	continue;
795	}
796	else {
797	if (ldap_count_entries(ldc->ldap, groupResult) >= 1) {
798	return LDAP_COMPARE_TRUE;
799	}
800	}
801
802	}
803
804
805
806
807	}
808
809	return LDAP_COMPARE_FALSE;
810	}
811
812	char ** uldap_cache_getattributevalues(request_rec r, util_ldap_connection_t ldc,
813	const char url, const char dn,
814	const char *attrib)
815	{
816	char **arr = NULL;
817	char **attr;
818
819	int failures = 0;
820	int result = 0;
821	int count;
822	char *filter = NULL;
823	int numvals = 0;
824
825	LDAPMessage res, entry;
826
827	util_url_node_t *curl;
828	util_url_node_t curnode;
829	util_search_node_t *search_nodep;
830	util_search_node_t the_search_node;
831	apr_time_t curtime;
832
833	util_ldap_state_t *st =
834	(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
835	&ldap_module);
836
837	LDAP_CACHE_LOCK();
838	curnode.url = url;
839	curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
840	&curnode);
841
842	char * key = apr_pstrcat(r->pool, dn, "::", attrib, NULL);
843
844	if (curl == NULL) {
845	curl = util_ald_create_caches(st, url);
846	}
847	LDAP_CACHE_UNLOCK();
848
849	if (curl) {
850	LDAP_CACHE_LOCK();
851	the_search_node.username = key;
852	search_nodep = util_ald_cache_fetch(curl->search_cache,
853	&the_search_node);
854
855	if (search_nodep != NULL) {
856	/* found attributes in search cache */
857
858	curtime = apr_time_now();
859
860	if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
861	/* ...but entry is too old */
862	util_ald_cache_remove(curl->search_cache, search_nodep);
863	}
864	else {
865	/* entry isn't too old, so return the results */
866	arr = (char **)(search_nodep->vals);
867	LDAP_CACHE_UNLOCK();
868	return arr;
869	}
870	}
871
872	LDAP_CACHE_UNLOCK();
873
874	}
875
876	/* didn't get hit from cache */
877	start_over:
878	if (failures++ > 10) {
879	return arr;
880	}
881	if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
882	return arr;
883	}
884
885	/* try do the search */
886	filter = apr_pstrcat(st->pool, "objectClass", attrib, NULL);
887	if ((result = ldap_search_ext_s(ldc->ldap,
888	(char *)dn, LDAP_SCOPE_SUBTREE,
889	filter, (char *)(attrib), 0,
890	NULL, NULL, NULL, -1, &res))
891	== LDAP_SERVER_DOWN)
892	{
893	ldc->reason = "ldap_search_ext_s() for attribute failed with server down";
894	uldap_connection_unbind(ldc);
895	goto start_over;
896	}
897
898	/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
899	if (result != LDAP_SUCCESS) {
900	ldc->reason = "ldap_search_ext_s() for attribute failed";
901	return arr;
902	}
903
904	/*
905	* We should have found exactly one entry; to find a different
906	* number is an error.
907	*/
908	count = ldap_count_entries(ldc->ldap, res);
909	if (count != 1)
910	{
911	if (count == 0 )
912	ldc->reason = "Attribute not found";
913	else
914	ldc->reason = "Attribute search found multiple records. This shouldn't happen";
915	ldap_msgfree(res);
916	return arr;
917	}
918	else {
919	entry = ldap_first_entry(ldc->ldap, res);
920
921	attr = ldap_get_values(ldc->ldap, entry, "objectClass");
922
923	if (attr == NULL) {
924	ldc->reason = "ldap_get_values() for objectClass returned NULL";
925	return arr;
926	}
927
928	if ((attr = ldap_get_values(ldc->ldap, entry, attrib)) == NULL) {
929	ldc->reason = "ldap_get_values() for attribute return NULL";
930	return arr;
931	}
932
933	/* attr has the values */
934	if (attr) {
935	int k = 0;
936	int i = 0;
937
938	while (attr[k++]);
939	arr = apr_pcalloc(r->pool, sizeof(char ) (k+1));
940	numvals = k;
941
942	while (attr[i]) {
943	char **values;
944	int j = 0;
945	char *str = NULL;
946
947	values = ldap_get_values(ldc->ldap, entry, attr[i]);
948	while (values && values[j]) {
949	str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
950	: apr_pstrdup(r->pool, values[j]);
951	j++;
952	}
953	ldap_value_free(values);
954	arr[i] = str;
955	i++;
956	}
957	}
958
959	}
960
961	return arr;
962	}
963
706	/*	964	/*
707	* Does an generic ldap_compare operation. It accepts a cache that it will use	965	* Does an generic ldap_compare operation. It accepts a cache that it will use
708	* to lookup the compare in the cache. We cache two kinds of compares	966	* to lookup the compare in the cache. We cache two kinds of compares
Lines 2099-2104 Link Here
2099	APR_REGISTER_OPTIONAL_FN(uldap_connection_find);	2357	APR_REGISTER_OPTIONAL_FN(uldap_connection_find);
2100	APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedn);	2358	APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedn);
2101	APR_REGISTER_OPTIONAL_FN(uldap_cache_compare);	2359	APR_REGISTER_OPTIONAL_FN(uldap_cache_compare);
		2360	APR_REGISTER_OPTIONAL_FN(uldap_cache_comparedynamicgroup);
		2361	APR_REGISTER_OPTIONAL_FN(uldap_cache_getattributevalues);
2102	APR_REGISTER_OPTIONAL_FN(uldap_cache_checkuserid);	2362	APR_REGISTER_OPTIONAL_FN(uldap_cache_checkuserid);
2103	APR_REGISTER_OPTIONAL_FN(uldap_cache_getuserdn);	2363	APR_REGISTER_OPTIONAL_FN(uldap_cache_getuserdn);
2104	APR_REGISTER_OPTIONAL_FN(uldap_ssl_supported);	2364	APR_REGISTER_OPTIONAL_FN(uldap_ssl_supported);